Fortinet black logo

Administration Guide

Creating and installing the policy package and IPsec template

Creating and installing the policy package and IPsec template

In order to establish an IPsec tunnel between the FortiGate devices, define policies to permit the traffic. When you install the policy package, the device settings (including provisioning templates) are installed at the same time.

To create and install the policy package and IPsec template:
  1. Map VPN interfaces to objects.

  2. Map LAN interfaces to LAN object.

  3. Map WAN interface to WAN object.

  4. Define the LAN address objects.

  5. Create the branch policy.

  6. Create the HUB policy.

  7. Install the policy packages.

To map VPN interfaces to objects:
  1. In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.

  2. Enter a name for the normalized interface.

  3. Under Per-Device Mapping, map the hub FortiGate as follows:

    1. Click Create New.

    2. In Mapped Device, select the hub FortiGate.

    3. In Mapped Interface Name, select VPN1.

    4. Click OK to save.

  4. Under Per-Device Mapping, map the two branch FortiGates as follows:

    1. Click Create New.

    2. In Mapped Device, select the first branch FortiGate.

    3. In Mapped Interface Name, select HUB1-VPN1.

    4. Click OK to save.

    5. Repeat for the other branch FortiGate.

  5. Enter a Change Note and click OK to save.

To map the LAN interfaces to a LAN object:
  1. In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.

  2. Under Per-Device Mapping, click Create New.

  3. Name it LAN.

    1. In Matched Device, select the first branch FortiGate.

    2. In Mapped Interface Name, enter port4.

    3. Click OK to save.

  4. Repeat for the other branch and the hub FortiGate.

  5. Enter a Change Note and click OK to save.

To map the WAN interface to a WAN object:
  1. In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.

  2. Under Per-Platform Mapping, click Create New.

  3. Name it WAN.

    1. In Matched Platform, select your platform (if consistent) or select all.

    2. In Mapped Interface Name, enter port2.

    3. Click OK to save.

  4. Enter a Change Note and click OK to save.

To define the LAN address objects:
  1. In Policy & Objects > Object Configurations > Firewall Objects > Addresses, go to Create New > Address.

  2. Repeat this procedure for each of the following address objects:

    • Branch_LAN

      • Name: Branch_LAN

      • IP/Netmask: 172.16.0.0/16

      • Per-Device Mapping:

        • Branch-A: 172.16.1.0/24

        • Branch-B: 172.16.2.0/24

    • HQ_LAN

      • Name: HQ_LAN

      • IP/Netmask: 172.16.0.0/24

    • Enter a Change Note and click OK to save.

To create the branch policy:
  1. In Policy Packages, select the Branches policy package and click Create New.

  2. Set the following values:

    Field

    Value

    Name

    Branch to HQ

    Incoming Interface

    LAN

    Outgoing Interface

    IPsec

    IPv4 Source Address

    Branch_LAN

    IPv4 Destination Address

    HQ_LAN

    Action

    Accept

  3. Click OK to save.

To create the HUB policy:
  1. In Policy Packages, select the HUB policy package and click Create New.

  2. Set the following values:

    Field

    Value

    Name

    Branches to HQ

    Incoming Interface

    IPsec

    Outgoing Interface

    LAN

    IPv4 Source Address

    Overlay tunnels

    IPv4 Destination Address

    HQ_LAN

    Action

    Accept

  3. Click OK to save.

To install the policy packages:

FortiManager can only install one policy package at a time, so install each policy package in turn. The IPsec tunnel template configuration will be installed along with the policy package.

For more information about installing policies and policy packages, see Install a policy package.

Creating and installing the policy package and IPsec template

In order to establish an IPsec tunnel between the FortiGate devices, define policies to permit the traffic. When you install the policy package, the device settings (including provisioning templates) are installed at the same time.

To create and install the policy package and IPsec template:
  1. Map VPN interfaces to objects.

  2. Map LAN interfaces to LAN object.

  3. Map WAN interface to WAN object.

  4. Define the LAN address objects.

  5. Create the branch policy.

  6. Create the HUB policy.

  7. Install the policy packages.

To map VPN interfaces to objects:
  1. In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.

  2. Enter a name for the normalized interface.

  3. Under Per-Device Mapping, map the hub FortiGate as follows:

    1. Click Create New.

    2. In Mapped Device, select the hub FortiGate.

    3. In Mapped Interface Name, select VPN1.

    4. Click OK to save.

  4. Under Per-Device Mapping, map the two branch FortiGates as follows:

    1. Click Create New.

    2. In Mapped Device, select the first branch FortiGate.

    3. In Mapped Interface Name, select HUB1-VPN1.

    4. Click OK to save.

    5. Repeat for the other branch FortiGate.

  5. Enter a Change Note and click OK to save.

To map the LAN interfaces to a LAN object:
  1. In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.

  2. Under Per-Device Mapping, click Create New.

  3. Name it LAN.

    1. In Matched Device, select the first branch FortiGate.

    2. In Mapped Interface Name, enter port4.

    3. Click OK to save.

  4. Repeat for the other branch and the hub FortiGate.

  5. Enter a Change Note and click OK to save.

To map the WAN interface to a WAN object:
  1. In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.

  2. Under Per-Platform Mapping, click Create New.

  3. Name it WAN.

    1. In Matched Platform, select your platform (if consistent) or select all.

    2. In Mapped Interface Name, enter port2.

    3. Click OK to save.

  4. Enter a Change Note and click OK to save.

To define the LAN address objects:
  1. In Policy & Objects > Object Configurations > Firewall Objects > Addresses, go to Create New > Address.

  2. Repeat this procedure for each of the following address objects:

    • Branch_LAN

      • Name: Branch_LAN

      • IP/Netmask: 172.16.0.0/16

      • Per-Device Mapping:

        • Branch-A: 172.16.1.0/24

        • Branch-B: 172.16.2.0/24

    • HQ_LAN

      • Name: HQ_LAN

      • IP/Netmask: 172.16.0.0/24

    • Enter a Change Note and click OK to save.

To create the branch policy:
  1. In Policy Packages, select the Branches policy package and click Create New.

  2. Set the following values:

    Field

    Value

    Name

    Branch to HQ

    Incoming Interface

    LAN

    Outgoing Interface

    IPsec

    IPv4 Source Address

    Branch_LAN

    IPv4 Destination Address

    HQ_LAN

    Action

    Accept

  3. Click OK to save.

To create the HUB policy:
  1. In Policy Packages, select the HUB policy package and click Create New.

  2. Set the following values:

    Field

    Value

    Name

    Branches to HQ

    Incoming Interface

    IPsec

    Outgoing Interface

    LAN

    IPv4 Source Address

    Overlay tunnels

    IPv4 Destination Address

    HQ_LAN

    Action

    Accept

  3. Click OK to save.

To install the policy packages:

FortiManager can only install one policy package at a time, so install each policy package in turn. The IPsec tunnel template configuration will be installed along with the policy package.

For more information about installing policies and policy packages, see Install a policy package.