Fortinet black logo

Admin Guide (Standalone)

Home FortiExtender 7.2.0 Admin Guide (Standalone)

VPN

7.2.0
7.4.1
7.4.0
7.2.3
7.2.2
7.2.0
7.0.3
7.0.2
7.0.1
Copy Link
Copy Doc ID 5d87fec9-ac5b-11ec-9fd1-fa163e15d75b:749565
Download PDF

VPN

FortiExtender (Standalone) uses IPsec VPN to connect branch offices to each other. It only supports the site-to-site VPN tunnel mode.

An IPsec VPN is established in two phases: Phase 1 and Phase 2.

Several parameters determine how this is done, except for IP addresses, the settings simply need to match at both VPN gateways.

There are defaults that are applicable for most cases.

When a FortiExtender unit receives a connection request from a remote VPN peer, it uses IPsec Phase-1 parameters to establish a secure connection and authenticate that VPN peer. Then, the FortiExtender unit establishes the tunnel using IPsec Phase-2 parameters. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed on both units:

  • Define the Phase-1 parameters that the FortiExtender unit needs to authenticate the remote peer and establish a secure connection.
  • Define the Phase-2 parameters that the FortiExtender unit needs to create a VPN tunnel with the remote peer.
  • Create firewall policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.
  • Create a route to direct traffic to the tunnel interface.
Note

Currently, FortiExtender only works in VPN client mode, be sure to keep the following limitations in mind when using this feature:

  • If both ends of the VPN tunnel are FortiExtender devices, they must operate in NAT mode and use a static public IP address.
  • If the remote device is not FortiExtender, it must have a static public IP address and can work in VPN server mode.

This section discusses the following topics:

Previous
Next

VPN

FortiExtender (Standalone) uses IPsec VPN to connect branch offices to each other. It only supports the site-to-site VPN tunnel mode.

An IPsec VPN is established in two phases: Phase 1 and Phase 2.

Several parameters determine how this is done, except for IP addresses, the settings simply need to match at both VPN gateways.

There are defaults that are applicable for most cases.

When a FortiExtender unit receives a connection request from a remote VPN peer, it uses IPsec Phase-1 parameters to establish a secure connection and authenticate that VPN peer. Then, the FortiExtender unit establishes the tunnel using IPsec Phase-2 parameters. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed on both units:

  • Define the Phase-1 parameters that the FortiExtender unit needs to authenticate the remote peer and establish a secure connection.
  • Define the Phase-2 parameters that the FortiExtender unit needs to create a VPN tunnel with the remote peer.
  • Create firewall policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.
  • Create a route to direct traffic to the tunnel interface.
Note

Currently, FortiExtender only works in VPN client mode, be sure to keep the following limitations in mind when using this feature:

  • If both ends of the VPN tunnel are FortiExtender devices, they must operate in NAT mode and use a static public IP address.
  • If the remote device is not FortiExtender, it must have a static public IP address and can work in VPN server mode.

This section discusses the following topics:

Previous
Next