Fortinet black logo

Handbook

Home FortiGate / FortiOS 6.0.0 Handbook

VPN tunnels

6.0.0
6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:176257
Download PDF

VPN tunnels

The data path between a user’s computer and a private network through a VPN is referred to as a tunnel. Like a physical tunnel, the data path is accessible only at both ends. In the telecommuting scenario, the tunnel runs between the FortiClient application on the user’s PC, or a FortiGate unit or other network device and the FortiGate unit on the office private network.

Encapsulation makes this possible. IPsec packets pass from one end of the tunnel to the other and contain data packets that are exchanged between the local user and the remote private network. Encryption of the data packets ensures that any third-party who intercepts the IPsec packets can not access the data.

Encoded data going through a VPN tunnel

You can create a VPN tunnel between:

  • A PC equipped with the FortiClient application and a FortiGate unit
  • Two FortiGate units
  • Third-party VPN software and a FortiGate unit
    For more information on third-party VPN software, refer to the Fortinet Knowledge Base for more information.

Tunnel templates

Several tunnel templates are available in the IPsec VPN Wizard that cover a variety of different types of IPsec VPN. A list of these templates appear on the first page of the Wizard, located at VPN > IPsec Wizard. The tunnel template list follows.

IPsec VPN Wizard options

VPN Type

Remote Device Type

NAT Options

Description

Site to Site

FortiGate
  • No NAT between sites
  • This site is behind NAT
  • The remote site is behind NAT

Static tunnel between this FortiGate and a remote FortiGate.

Cisco
  • No NAT between sites
  • This site is behind NAT
  • The remote site is behind NAT

Static tunnel between this FortiGate and a remote Cisco firewall.

Remote Access

Client-based

FortiClient VPN for OS X, Windows, and Android

N/A

On-demand tunnel for users using the FortiClient software.

Cisco

N/A

On-demand tunnel for users using the Cisco IPsec client.

Native

iOS Native

N/A

On-demand tunnel for iPhone/iPad users using the native iOS IPsec client.

Android Native

N/A

On-demand tunnel for Android users using the native L2TP/IPsec client.

Windows Native

N/A

On-demand tunnel for Windows users using the native L2TP/IPsec client.

Custom

N/A

N/A

No Template.

note icon

Cisco's VPN Client has reached its End-of-Life/End-of-Support as of July 30, 2016, and has been replaced by Cisco AnyConnect Secure Mobility Client.

note icon

In FortiOS 5.6.4+, the first step of the VPN Creation Wizard (VPN > IPsec Wizard) delineates the Remote Device Type (for Remote Access templates) between Client-based and Native in order to distinguish FortiClient and Cisco device options from native OS device options.

VPN tunnel list

Once you create an IPsec VPN tunnel, it appears in the VPN tunnel list at VPN > IPsec Tunnels. By default, the tunnel list indicates the name of the tunnel, its interface binding, the tunnel template used, and the tunnel status. If you right-click on the table header row, you can include columns for comments, IKE version, mode (aggressive vs main), phase 2 proposals, and reference number. The tunnel list page also includes the option to create a new tunnel, as well as the options to edit or delete a highlighted tunnel.

FortiView VPN tunnel map

A geospatial map can be found under FortiView > VPN Map to help visualize IPsec (and SSL) VPN connections to a FortiGate using Google Maps. This feature adds a geographical-IP API service for resolving spatial locations from IP addresses.

Previous
Next

VPN tunnels

The data path between a user’s computer and a private network through a VPN is referred to as a tunnel. Like a physical tunnel, the data path is accessible only at both ends. In the telecommuting scenario, the tunnel runs between the FortiClient application on the user’s PC, or a FortiGate unit or other network device and the FortiGate unit on the office private network.

Encapsulation makes this possible. IPsec packets pass from one end of the tunnel to the other and contain data packets that are exchanged between the local user and the remote private network. Encryption of the data packets ensures that any third-party who intercepts the IPsec packets can not access the data.

Encoded data going through a VPN tunnel

You can create a VPN tunnel between:

  • A PC equipped with the FortiClient application and a FortiGate unit
  • Two FortiGate units
  • Third-party VPN software and a FortiGate unit
    For more information on third-party VPN software, refer to the Fortinet Knowledge Base for more information.

Tunnel templates

Several tunnel templates are available in the IPsec VPN Wizard that cover a variety of different types of IPsec VPN. A list of these templates appear on the first page of the Wizard, located at VPN > IPsec Wizard. The tunnel template list follows.

IPsec VPN Wizard options

VPN Type

Remote Device Type

NAT Options

Description

Site to Site

FortiGate
  • No NAT between sites
  • This site is behind NAT
  • The remote site is behind NAT

Static tunnel between this FortiGate and a remote FortiGate.

Cisco
  • No NAT between sites
  • This site is behind NAT
  • The remote site is behind NAT

Static tunnel between this FortiGate and a remote Cisco firewall.

Remote Access

Client-based

FortiClient VPN for OS X, Windows, and Android

N/A

On-demand tunnel for users using the FortiClient software.

Cisco

N/A

On-demand tunnel for users using the Cisco IPsec client.

Native

iOS Native

N/A

On-demand tunnel for iPhone/iPad users using the native iOS IPsec client.

Android Native

N/A

On-demand tunnel for Android users using the native L2TP/IPsec client.

Windows Native

N/A

On-demand tunnel for Windows users using the native L2TP/IPsec client.

Custom

N/A

N/A

No Template.

note icon

Cisco's VPN Client has reached its End-of-Life/End-of-Support as of July 30, 2016, and has been replaced by Cisco AnyConnect Secure Mobility Client.

note icon

In FortiOS 5.6.4+, the first step of the VPN Creation Wizard (VPN > IPsec Wizard) delineates the Remote Device Type (for Remote Access templates) between Client-based and Native in order to distinguish FortiClient and Cisco device options from native OS device options.

VPN tunnel list

Once you create an IPsec VPN tunnel, it appears in the VPN tunnel list at VPN > IPsec Tunnels. By default, the tunnel list indicates the name of the tunnel, its interface binding, the tunnel template used, and the tunnel status. If you right-click on the table header row, you can include columns for comments, IKE version, mode (aggressive vs main), phase 2 proposals, and reference number. The tunnel list page also includes the option to create a new tunnel, as well as the options to edit or delete a highlighted tunnel.

FortiView VPN tunnel map

A geospatial map can be found under FortiView > VPN Map to help visualize IPsec (and SSL) VPN connections to a FortiGate using Google Maps. This feature adds a geographical-IP API service for resolving spatial locations from IP addresses.

Previous
Next