Fortinet FortiGate 4000 User Manual
Page 252
252
Fortinet Inc.
Configuring encrypt policies
IPSec VPN
For information about configuring the remaining policy settings, see
9
Select OK to save the encrypt policy.
To make sure that the encrypt policy is matched for VPN connections, arrange the
encrypt policy above other policies with similar source and destination addresses and
services in the policy list.
VPN Tunnel
Select an Auto Key tunnel for this encrypt policy.
Allow inbound Select Allow inbound to enable inbound users to connect to the source
address.
Allow outbound Select Allow outbound to enable outbound users to connect to the
destination address.
Inbound NAT
The FortiGate unit translates the source address of incoming packets to the
IP address of the FortiGate interface connected to the source address
network. Typically, this is an internal interface of the FortiGate unit.
Inbound NAT makes it impossible for local hosts to see the IP addresses of
remote hosts (hosts located on the network behind the remote VPN
gateway).
Outbound NAT The FortiGate unit translates the source address of outgoing packets to the
IP address of the FortiGate interface connected to the destination address
network. Typically, this is an external interface of the FortiGate unit.
Outbound NAT makes it impossible for remote hosts to see the IP
addresses of local hosts (hosts located on the network behind the local VPN
gateway).
If Outbound NAT is implemented, it is subject to these limitations:
Configure Outbound NAT only at one end of the tunnel.
The end that does not implement Outbound NAT requires an internal to
external policy that specifies the remote external interface as the
Destination (usually a public IP address).
The tunnel, and the traffic within the tunnel, can only be initiated at the end
that implements Outbound NAT.