Fortinet black logo

Cookbook

6.2.0
6.2.0
5.4.0

Configuring the VPN manager

Configuring the VPN manager

Create two overlays, one for the internet connection and one for the MPLS network. This is to create two secure links to the datacenter and to implement SDWAN among those links.

To create a dial-up topology:
  1. Go to VPN Manager > IPsec VPN.
  2. In the toolbar, click Create New. The VPN Topology Setup Wizard is displayed.
    1. Enter a name for the topology, such as OL_INET and OL_MPLS.
    2. In the Choose VPM topology section, select Dial up.
    3. Click Next.
  3. Complete the steps in the wizard, and click OK.
  4. After you create the MLPS and INET overlays, select the topology and click Edit. Ensure VPN Zone is disabled.

    Note

    Enabling VPN Zone and setting it to Create Default Zones, creates a dynamic interface by default.

    SDWAN does not support dynamic interfaces.
    5. For information about creating VPN communities, go to the Fortinet Document Library > FortiManager Administration Guide > IPsec VPN Communities > Creating IPsec VPN communities.
To add the branches:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, select one of the dial-up topologies you created.
  3. In the toolbar, click Create New > Managed Gateway. The VPN Gateway Setup Wizard<Name> is displayed.
    1. Select a Protected Subnet, and click Next.
    2. Set the Role to Spoke and select a branch FortiGate from the dropdown, then click Next.
    3. Proceed through the steps in the wizard, and then click OK.
  4. After you complete the steps in the wizard, select a branch device, and click Edit.

    Configure the following settings for all of the branch devices:

    text

    text

  5. Property

    Setting
    Enable IP Assignment Toggle OFF.
    Add Route Toggle OFF.
    DHCP Toggle OFF.
    Advanced Options
    net-device
    		Toggle OFF.

    		tunnel-search

    Select nexthop from the dropdown.

For information about creating gateways, go to the Fortinet Document Library > FortiManager Administration Guide > VPN > IPSec VPN gateways > Creating managed gateways.

To create the hub:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, select one of the dial-up topologies you created.
  3. In the toolbar, click Create New > Managed Gateway. The VPN Gateway Setup Wizard<Name> is displayed.
    1. Select a Protected Subnet, and click Next.
    2. Set the Role to Hub and select a FortiGate from the dropdown, then click Next.
    3. Proceed through the steps in the wizard, and then click OK.
  4. After you add the hub to both of the overlay communities, select the hub device and click Edit.

    Configure the following settings for both hub devices:

    Property

    Setting
    Peer Type Select Accept any peer ID from the dropdown.
    Enable IKE configuration Method ("mode config") Toggle OFF.
    DHCP Toggle OFF.
    Advanced Options
    net-device
    		Toggle OFF.

    		tunnel-search

    Select nexthop from the dropdown.

Previous
Next

Configuring the VPN manager

Create two overlays, one for the internet connection and one for the MPLS network. This is to create two secure links to the datacenter and to implement SDWAN among those links.

To create a dial-up topology:
  1. Go to VPN Manager > IPsec VPN.
  2. In the toolbar, click Create New. The VPN Topology Setup Wizard is displayed.
    1. Enter a name for the topology, such as OL_INET and OL_MPLS.
    2. In the Choose VPM topology section, select Dial up.
    3. Click Next.
  3. Complete the steps in the wizard, and click OK.
  4. After you create the MLPS and INET overlays, select the topology and click Edit. Ensure VPN Zone is disabled.

    Note

    Enabling VPN Zone and setting it to Create Default Zones, creates a dynamic interface by default.

    SDWAN does not support dynamic interfaces.
    5. For information about creating VPN communities, go to the Fortinet Document Library > FortiManager Administration Guide > IPsec VPN Communities > Creating IPsec VPN communities.
To add the branches:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, select one of the dial-up topologies you created.
  3. In the toolbar, click Create New > Managed Gateway. The VPN Gateway Setup Wizard<Name> is displayed.
    1. Select a Protected Subnet, and click Next.
    2. Set the Role to Spoke and select a branch FortiGate from the dropdown, then click Next.
    3. Proceed through the steps in the wizard, and then click OK.
  4. After you complete the steps in the wizard, select a branch device, and click Edit.

    Configure the following settings for all of the branch devices:

    text

    text

  5. Property

    Setting
    Enable IP Assignment Toggle OFF.
    Add Route Toggle OFF.
    DHCP Toggle OFF.
    Advanced Options
    net-device
    		Toggle OFF.

    		tunnel-search

    Select nexthop from the dropdown.

For information about creating gateways, go to the Fortinet Document Library > FortiManager Administration Guide > VPN > IPSec VPN gateways > Creating managed gateways.

To create the hub:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, select one of the dial-up topologies you created.
  3. In the toolbar, click Create New > Managed Gateway. The VPN Gateway Setup Wizard<Name> is displayed.
    1. Select a Protected Subnet, and click Next.
    2. Set the Role to Hub and select a FortiGate from the dropdown, then click Next.
    3. Proceed through the steps in the wizard, and then click OK.
  4. After you add the hub to both of the overlay communities, select the hub device and click Edit.

    Configure the following settings for both hub devices:

    Property

    Setting
    Peer Type Select Accept any peer ID from the dropdown.
    Enable IKE configuration Method ("mode config") Toggle OFF.
    DHCP Toggle OFF.
    Advanced Options
    net-device
    		Toggle OFF.

    		tunnel-search

    Select nexthop from the dropdown.

Previous
Next