Fortinet Document Library

Version:


Table of Contents

5.4.0
Download PDF
Copy Link

Configuring a full mesh VPN topology within a VPN console

This is an example on how to configure a simple full mesh VPN with:

  • Three FortiGate (FGT) devices
  • A pre-shared key for authentication
  • An auto-up tunnel setting
  • Static routes
To configure a full mesh VPN topology within a VPN console:
  1. Add FortiGate devices and map all interfaces:
    1. Go to Device Manager. Add three FortiGate devices by clicking Add Device. Follow the wizard to add each device.
    2. Go to Policy & Objects > Policy Packages and define the Zone interfaces.
    3. Go to Device Manager and select a device.
    4. Go to System: Interface and map the interfaces to the Zone interfaces.
  2. Create firewall addresses for protected subnets:
    1. Go to Policy & Objects > Object Configurations > Firewall Objects > Address to manage the firewall addresses.
    2. VPNs only support firewall addresses with the type set to subnet (IP/Netmask). The firewall addresses will be used as protected subnets to generate static routes among the FortiGate devices.
  3. Create a VPN community:
    1. Go to VPN Manager > VPN Community list > Create New.
    2. Set the VPN Topology type to Full Meshed.

    3. Define the Authentication method with a Pre-shared Key.
    4. Specify the encryption and hash methods.

    5. After defining the authentication methods and encryption properties, click Next.
    6. Configure the VPN Phase 1 and Phase 2 settings.

    7. For the IPSec Phase 2 setting, set the tunnel to Auto-Negotiate.

      1. Optionally, under Advanced Options, the IKE version must be set to two in order to use IPv6 over tunnels.

      VPN configuration summary:

  4. Add a VPN gateway:
    1. Go to VPN Manager > VPN Community.
    2. In the content pane, from the Create New menu, select Managed Gateway.
    3. Add a Protected Network. There can be more than one protected networks.

    4. Select a Device.

    5. Select a Default VPN Interface. The default VPN interface should have a valid IP and be mapped.

      1. Optionally, specify the Local Gateway. This option can be left blank in most cases.

    6. Go to Routing and select Automatic to generate static routes.

      1. If Manual is selected, go to the Device Manager to set the IP on the relevant IPSec interfaces and define the routings manually.

      VPN gateway configuration settings summary:

  5. Create firewall policies:
    1. Go to Policy & Objects > Policy Package to create policies among the default VPN zones and protected-subnet interfaces.
    2. Use the Install On option to restrict policies applied on specific FortiGate devices.

    3. Remember to create policies for bi-directional traffic.
Note

For further FortiManager information, refer to the Administration Guides available in the Fortinet Document Library.

Configuring a full mesh VPN topology within a VPN console

This is an example on how to configure a simple full mesh VPN with:

  • Three FortiGate (FGT) devices
  • A pre-shared key for authentication
  • An auto-up tunnel setting
  • Static routes
To configure a full mesh VPN topology within a VPN console:
  1. Add FortiGate devices and map all interfaces:
    1. Go to Device Manager. Add three FortiGate devices by clicking Add Device. Follow the wizard to add each device.
    2. Go to Policy & Objects > Policy Packages and define the Zone interfaces.
    3. Go to Device Manager and select a device.
    4. Go to System: Interface and map the interfaces to the Zone interfaces.
  2. Create firewall addresses for protected subnets:
    1. Go to Policy & Objects > Object Configurations > Firewall Objects > Address to manage the firewall addresses.
    2. VPNs only support firewall addresses with the type set to subnet (IP/Netmask). The firewall addresses will be used as protected subnets to generate static routes among the FortiGate devices.
  3. Create a VPN community:
    1. Go to VPN Manager > VPN Community list > Create New.
    2. Set the VPN Topology type to Full Meshed.

    3. Define the Authentication method with a Pre-shared Key.
    4. Specify the encryption and hash methods.

    5. After defining the authentication methods and encryption properties, click Next.
    6. Configure the VPN Phase 1 and Phase 2 settings.

    7. For the IPSec Phase 2 setting, set the tunnel to Auto-Negotiate.

      1. Optionally, under Advanced Options, the IKE version must be set to two in order to use IPv6 over tunnels.

      VPN configuration summary:

  4. Add a VPN gateway:
    1. Go to VPN Manager > VPN Community.
    2. In the content pane, from the Create New menu, select Managed Gateway.
    3. Add a Protected Network. There can be more than one protected networks.

    4. Select a Device.

    5. Select a Default VPN Interface. The default VPN interface should have a valid IP and be mapped.

      1. Optionally, specify the Local Gateway. This option can be left blank in most cases.

    6. Go to Routing and select Automatic to generate static routes.

      1. If Manual is selected, go to the Device Manager to set the IP on the relevant IPSec interfaces and define the routings manually.

      VPN gateway configuration settings summary:

  5. Create firewall policies:
    1. Go to Policy & Objects > Policy Package to create policies among the default VPN zones and protected-subnet interfaces.
    2. Use the Install On option to restrict policies applied on specific FortiGate devices.

    3. Remember to create policies for bi-directional traffic.
Note

For further FortiManager information, refer to the Administration Guides available in the Fortinet Document Library.