Chapter 11 IPsec VPN for FortiOS 5.0 : Transparent mode VPNs : Configure the VPN peers
  
Configure the VPN peers
1. The local VPN peer need to operate in transparent mode.
To determine if your FortiGate unit is in transparent mode, go to System > Dashboard > Status to the System Information widget. Select [change]. Select transparent for the Operation Mode. Two new fields will appear to enter the Management IP/Netmask, and the Default Gateway.
In transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are on the same subnet and share the same IP address. You only have to configure a management IP address so that you can make configuration changes.
The remote VPN peer may operate in NAT mode or transparent mode.
2. At the local FortiGate unit, define the phase 1 parameters needed to establish a secure connection with the remote peer. See “Auto Key phase 1 parameters”. Select Advanced and enter these settings in particular:
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the public interface to the remote peer. If the remote peer is a FortiGate unit running in transparent mode, type the IP address of the remote management interface.
Advanced
Select Nat-traversal, and type a value into the Keepalive Frequency field. These settings protect the headers of encrypted packets from being altered by external NAT devices and ensure that NAT address mappings do not change while the VPN tunnel is open. For more information, see “NAT traversal” and “NAT keepalive frequency”.
3. Define the phase 2 parameters needed to create a VPN tunnel with the remote peer. See “Phase 2 parameters”. Select the set of phase 1 parameters that you defined for the remote peer. The name of the remote peer can be selected from the Static IP Address list.
4. Define the source and destination addresses of the IP packets that are to be transported through the VPN tunnel. See “Defining policy addresses”. Enter these settings in particular:
For the originating address (source address), enter the IP address and netmask of the private network behind the local peer network. for the management interface, for example, 10.10.10.0/24. This address needs to be a range to allow traffic from your network through the tunnel. Optionally select any for this address.
For the remote address (destination address), enter the IP address and netmask of the private network behind the remote peer (for example, 192.168.10.0/24). If the remote peer is a FortiGate unit running in transparent mode, enter the IP address of the remote management interface instead.
5. Define an IPsec security policy to permit communications between the source and destination addresses. See “Defining VPN security policies”. Enter these settings in particular:
Local Interface
Select the local interface to the internal (private) network.
Local Protected Subnet
Select the source address that you defined in Step 4.
Outgoing VPN Interface
Select the interface to the edge router. When you configure the IPsec security policy on a remote peer that operates in NAT mode, you select the public interface to the external (public) network instead.
Remote Protected Subnet
Select the destination address that you defined in Step 4.
VPN Tunnel
Select Use Existing and select the name of the phase 2 tunnel configuration that you created in Step 3 from the drop-down list.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
6. Place the policy in the policy list above any other policies having similar source and destination addresses.
7. Define another IPsec security policy to permit communications between the source and destination addresses in the opposite direction. This security policy and the previous one form a bi-directional policy pair. See “Defining VPN security policies”. Enter these settings in particular:
Local Interface
Select the interface to the edge router. When you configure the IPsec security policy on a remote peer that operates in NAT mode, you select the public interface to the external (public) network instead.
Local Protected Subnet
Select the destination address that you defined in Step 4.
Outgoing VPN Interface
Select the local interface to the internal (private) network.
Remote Protected Subnet
Select the source address that you defined in Step 4.
VPN Tunnel
Select Use Existing and select the name of the phase 2 tunnel configuration that you created in Step 3 from the drop-down list.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
8. Repeat this procedure at the remote FortiGate unit to create bidirectional security policies. Use the local interface and address information local to the remote FortiGate unit.
For more information on transparent mode, see the System Administration Guide handbook chapter.