VPN
FortiExtender (Standalone) uses IPsec VPN to connect branch offices to each other. It only supports the site-to-site VPN tunnel mode.
An IPsec VPN is established in two phases: Phase 1 and Phase 2.
Several parameters determine how this is done, except for IP addresses, the settings simply need to match at both VPN gateways.
There are defaults that are applicable for most cases.
When a FortiExtender unit receives a connection request from a remote VPN peer, it uses IPsec Phase-1 parameters to establish a secure connection and authenticate that VPN peer. Then, the FortiExtender unit establishes the tunnel using IPsec Phase-2 parameters. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed on both units:
- Define the Phase-1 parameters that the FortiExtender unit needs to authenticate the remote peer and establish a secure connection.
- Define the Phase-2 parameters that the FortiExtender unit needs to create a VPN tunnel with the remote peer.
- Create firewall policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.
- Create a route to direct traffic to the tunnel interface.
Currently, FortiExtender only works in VPN client mode, be sure to keep the following limitations in mind when using this feature:
|
This section discusses the following topics: