Posts tagged VPN
Caching is a key component to any system design. Caching allows programs to be lazy, by referring to data that’s already been access. Looking up data takes a lot of work. Think of it this way: Someone asks you want the Capital of Indonesia is, and you don’t have Google handy. You have to figure out the best reference to look in, probably an encyclopedia, find the proper page, search on that page for the data that corresponds to “Capital”, in this case, Jakarta, and relay that information back to the person that asked you. However, five minutes later someone else asks you “what is the capital of Indonesia” and you simply say “Jakarta.” You’ve cached that data, and are now returning it. (more…)
Debugging IPSec VPNs in FortiGate
Debugging what is going wrong with a VPN setup is difficult. The IKE protocol is “chatty”, and negotiates back and forth between the two ends for several rounds. The GUI offers not much help, it is either UP or Down. Most of the real debugging happens inside the CLI.
One problem in particular that has always bugged me is that you need access to the end machines involved to initiate traffic across the link. The network admin typically doesn’t have direct access on the computers on either side of the VPN in order to initiate that traffic. I’ll show you a method that can be used to initiate traffic from that network as well.
Having helped a customer setup VPNs for private connectivity to several large (ie. Fortune 100) companies lately, I’ve really dreaded seeing how NAT has been abused to the extent that it is making private islands on the Internet and breaking everything from routing to DNS to any future protocol enhancements. (more…)
Wow thats a mouthful of a title isn’t it.
When you have a VMForge VDC and control your own area of the FortigateFirewall in front of your VDC, you can setup a secure VPN connection with several different technologies.
If you want to use the built in VPN client in Windows or Mac OSX without installing any other VPN Client software, then L2TP over IPSec is the way to go. Although you will need to escape out to the CLI of the FW to complete this setup.