beautypg.com

Fortinet FortiGate 4000 User Manual

Page 252

background image

252

Fortinet Inc.

Configuring encrypt policies

IPSec VPN

For information about configuring the remaining policy settings, see

“Adding firewall

policies” on page 194

.

9

Select OK to save the encrypt policy.

To make sure that the encrypt policy is matched for VPN connections, arrange the
encrypt policy above other policies with similar source and destination addresses and
services in the policy list.

VPN Tunnel

Select an Auto Key tunnel for this encrypt policy.

Allow inbound Select Allow inbound to enable inbound users to connect to the source

address.

Allow outbound Select Allow outbound to enable outbound users to connect to the

destination address.

Inbound NAT

The FortiGate unit translates the source address of incoming packets to the

IP address of the FortiGate interface connected to the source address

network. Typically, this is an internal interface of the FortiGate unit.
Inbound NAT makes it impossible for local hosts to see the IP addresses of

remote hosts (hosts located on the network behind the remote VPN

gateway).

Outbound NAT The FortiGate unit translates the source address of outgoing packets to the

IP address of the FortiGate interface connected to the destination address

network. Typically, this is an external interface of the FortiGate unit.
Outbound NAT makes it impossible for remote hosts to see the IP

addresses of local hosts (hosts located on the network behind the local VPN

gateway).
If Outbound NAT is implemented, it is subject to these limitations:
Configure Outbound NAT only at one end of the tunnel.
The end that does not implement Outbound NAT requires an internal to

external policy that specifies the remote external interface as the

Destination (usually a public IP address).
The tunnel, and the traffic within the tunnel, can only be initiated at the end

that implements Outbound NAT.