Ipsec vip – Fortinet 100A User Manual
Page 272
272
01-28007-0068-20041203
Fortinet Inc.
ipsec vip
VPN
ipsec vip
A FortiGate unit can act as a proxy by answering ARP requests locally and forwarding
the associated traffic to the intended destination host over an IPSec VPN tunnel. The
feature is intended to enable IPSec VPN communications between two hosts that
coordinate the same private address space on physically separate networks. The IP
addresses of both the source host and the destination host must be unique. The
ipsec vip command lets you specify the IP addresses that can be accessed at the
remote end of the VPN tunnel. You must configure IPSec virtual IP (VIP) addresses at
both ends of the IPSec VPN tunnel.
Adding an IPSec VIP entry to the VIP table enables a FortiGate unit to respond to
ARP requests destined for remote servers and route traffic to the intended
destinations automatically. Each IPSec VIP entry is identified by an integer. An entry
identifies the name of the FortiGate interface to the destination network, and the IP
address of a destination host on the destination network. Specify an IP address for
every host that needs to be accessed on the other side of the tunnel—you can define
a maximum of 32 IPSec VIP addresses on the same interface.
selector { policy |
wildcard | specify}
Enter the method for choosing
selectors for IKE negotiations:
• Select policy to choose a selector
from a firewall encryption policy. The
VPN tunnel referenced in the firewall
encryption policy will be referenced.
• Select wildcard to disable selector
negotiation for this tunnel. Use this
option to avoid negotiation errors
(such as invalid ID Information) that
may occur during quick mode when
the set of policies between the peers
is not symmetric.
• Select specify to specify the
firewall encryption policy source and
destination IP addresses, ports, and
IP protocol to use for selector
negotiation. When you choose
specify, you must also enter
values for the srcaddr, dstaddr,
protocol, srcport, and dstport
keywords.
policy
All models.
single-source
{disable | enable}
Enable or disable all dialup clients to
connect using the same phase 2
tunnel definition.
disable All models.
srcaddr <name_str>
Enter the name of the firewall source
IP address that corresponds to the
local sender or network behind the
local VPN peer.
You must create the
firewall address before you can select
it here. For more information, see
“Adding firewall policies for IPSec VPN
.
No
default.
All models.
selector
must be set
to
specify.
srcport
<port_integer>
Enter the port number that the local
VPN peer uses to transport traffic
related to the specified service (see
protocol). The srcport range is 1
to 65535. To specify all ports, type 0.
No
default.
All models.
selector
must be set
to
specify.
ipsec phase2 command keywords and variables (Continued)
Keywords and variables
Description
Default
Availability