Skip to main content
nikolaj
nikolaj
New Member
February 2, 2017
Solved

IPSEC IN to OUT

  • February 2, 2017
  • 1 reply
  • 14366 views

Hello,

I am not very practice with Fortigate and I am analyzing the company firewall policies, so I would like to know the meaning of the policies in the attached file.

The direction of the policies is IN >> OUT

Thank you

--

Nicola

    Best answer by MikePruett

    You only need a policy to allow traffic from the initiator. So if devices behind FortiGate A are going to be initiating traffic you would have

     

    FortiGate A: INSIDE to VPN policy for traffic to flow

    FortiGate B: VPN to INSIDE policy for traffic to come through

     

    from there the reverse traffic will come back due to the session tables knowing they are the return traffic to that initial communication.

    1 reply

    MikePruett
    MikePruett
    New Member
    February 2, 2017

    Those policies are the policies saying what traffic uses what tunnel.

     

    Policy based VPNs use that (I prefer interface based) to make traffic traverse.

     

    Route based (interface based) you would have a route saying where the interesting traffic goes and then your policy would be inside to IPSEC_INTERFACE_NAME etc

    nikolaj
    nikolajAuthor
    New Member
    February 3, 2017

    Maybe I understand what you are saying.

    It's correct interpreting these policies as a permission for client-to-site VPNs from inside the LAN towards remote VPN terminators?

    We have what you call route based (interface based) VPNs, but isnt't it a site-to-site VPN (which is a different thing compared to client-to-site)?

    IPSEC_INTERFACE_NAME is a virtual interface that insist on to OUTSIDE (real) interface: correct?

    Thank you.

    --

    Nicola

     

    naama
    naama
    New Member
    February 5, 2017

    as it is your first time to configure VPN ipsec in fortigate device then Iam recommended you to take care of below:

    Phase1- NAT Traversal must be enable or disable in both side depends on two-party agreed.(dont forget normal config)

    Phase2- take care of PFS must be enable or disable in both side depends on two-party agreed, (dont forget normal config)

    -Routeing is important to be add , and I prefer to add static route.

    In phase 2 it is clear to add your servers ips as a source and  the destination:contains customer servers ips.

    in the policy you have to put reverse step based on the direction :

    example : in the policy you add customer ips as a source, your ips as destination . 

    but if the direction"in to out"then the policy will be"your ips as a source, customer ips  as destination"

    I hope the above comments can give you clear idea

    Terms & ConditionsAccessibility statement