beautypg.com

Configuring redundant ipsec vpns – Fortinet FortiGate-800 User Manual

Page 254

background image

254

Fortinet Inc.

Redundant IPSec VPNs

IPSec VPN

Configuring redundant IPSec VPNs

Prior to configuring the VPN, make sure that both FortiGate units have multiple
connections to the Internet. For each unit, first add multiple (two or more) external
interfaces. Then assign each interface to an external zone. Finally, add a route to the
Internet through each interface.

Configure the two FortiGate units with symmetrical settings for their connections to the
Internet. For example, if the remote FortiGate unit has two external interfaces grouped
in one zone, then the local FortiGate unit should have two external interfaces grouped
in one zone. Similarly, if the remote FortiGate has two external interfaces in separate
zones, then the local FortiGate unit should have two external interfaces in separate
zones.

The configuration is simpler if all external interfaces are grouped in one zone, rather
than multiple zones. However, this might not always be possible because of security
considerations or other reasons.

After you define the Internet connections for both FortiGate units, you can configure
the VPN tunnel.

To configure a redundant IPSec VPN

1

Add the phase 1 parameters for up to three VPN connections.
Enter identical values for each VPN connection, with the exception of the Gateway
Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a
static IP address.
See

“Adding a phase 1 configuration for an AutoIKE VPN” on page 235

.

2

Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.
• If the Internet connections are in the same zone, add one VPN tunnel and add the

remote gateways to it. You can add up to three remote gateways.

• If the Internet connections are in separate zones or assigned to unique interfaces,

add a VPN tunnel for each remote gateway entered.
See

“Adding a phase 2 configuration for an AutoIKE VPN” on page 240

.

3

Add the source and destination addresses.
See

“Adding a source address” on page 246

.

See

“Adding a destination address” on page 247

.

4

Add encrypt policies for up to three VPN connections.
• If the VPN connections are in the same zone, add one outgoing encrypt policy; for

example an Internal->External policy. Add the AutoIKE key tunnel to this policy.

• If the VPN connections are in different zones, add a separate outgoing encrypt

policy for each connection. The source and destination of both policies must be the
same. Add a different AutoIKE key tunnel to each policy.

See

“Adding an encrypt policy” on page 247

.