When central VPN management is enabled, you can use the VPN Manager pane to configure IPsec VPN settings that you can install to one or more devices. The settings are stored as objects in the objects database. You can then select the objects in policies for policy packages on the Policy & Objects pane. You install the IPsec VPN settings to one or more devices by installing the policy package to the devices.
You must enable central VPN management to access the settings on the VPN Manager > IPsec VPN pane. However, you can access the settings on the VPN Manager > SSL-VPN pane without enabling central VPN management. See Enabling central VPN management.
You can also configure VPN settings directly on a FortiGate by using Device Manager, and the configuration is stored in the device database. When you create a VPN configuration by using VPN Manager, FortiManager copies the VPN configuration from the objects database to the device database before installing the configuration to FortiGates. In addition, FortiManager checks for differences between the configuration in the device database and the configuration on FortiGate. If any differences are found, FortiManager only installs the configuration differences to FortiGate. This process helps avoid conflicts.
If you are using both Device Manager and VPN Manager to configure VPN settings, you should avoid using Device Manager to modify the settings created by VPN Manager, because when installing a policy package again, the settings from VPN Manager will override the previous changes to those settings from Device Manager. Device Manager should only be used to create or modify VPN configurations that are not created by VPN Manager.
To create IPsec VPN settings:
- Enable central VPN management. See Enabling central VPN management.
- Create a VPN community, sometimes called a VPN topology. See Creating IPsec VPN communities.
- Create a managed gateway. See Creating managed gateways.
To create SSL-VPN settings:
- Create custom profiles. See Creating SSL VPN portal profiles.
Alternately, you can skip this step, and use the default portal profiles.
- Add an SSL VPN to a device, and select a portal profile. See Creating SSL VPNs.
To install VPN objects to devices:
- Plan the VPN security policies. See VPN security policies.
- In a policy package, create VPN security policies, and select the VPN settings. See Creating policies.
- Edit the installation targets for the policy package to add all of the devices onto which you want to install the policy defined VPN settings. See Policy package installation targets.
- Install the policy package to the devices. See Install a policy package.