Creating and installing the policy package and IPsec template
In order to establish an IPsec tunnel between the FortiGate devices, define policies to permit the traffic. When you install the policy package, the device settings (including provisioning templates) are installed at the same time.
To create and install the policy package and IPsec template:
To map VPN interfaces to objects:
-
In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.
-
Enter a name for the normalized interface.
-
Under Per-Device Mapping, map the hub FortiGate as follows:
-
Click Create New.
-
In Mapped Device, select the hub FortiGate.
-
In Mapped Interface Name, select VPN1.
-
Click OK to save.
-
-
Under Per-Device Mapping, map the two branch FortiGates as follows:
-
Click Create New.
-
In Mapped Device, select the first branch FortiGate.
-
In Mapped Interface Name, select HUB1-VPN1.
-
Click OK to save.
-
Repeat for the other branch FortiGate.
-
-
Enter a Change Note and click OK to save.
To map the LAN interfaces to a LAN object:
-
In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.
-
Under Per-Device Mapping, click Create New.
-
Name it
LAN
.-
In Matched Device, select the first branch FortiGate.
-
In Mapped Interface Name, enter
port4
. -
Click OK to save.
-
-
Repeat for the other branch and the hub FortiGate.
-
Enter a Change Note and click OK to save.
To map the WAN interface to a WAN object:
-
In Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface, click Create New.
-
Under Per-Platform Mapping, click Create New.
-
Name it
WAN
.-
In Matched Platform, select your platform (if consistent) or select all.
-
In Mapped Interface Name, enter
port2
. -
Click OK to save.
-
-
Enter a Change Note and click OK to save.
To define the LAN address objects:
-
In Policy & Objects > Object Configurations > Firewall Objects > Addresses, go to Create New > Address.
-
Repeat this procedure for each of the following address objects:
-
Branch_LAN
-
Name:
Branch_LAN
-
IP/Netmask:
172.16.0.0/16
-
Per-Device Mapping:
-
Branch-A:
172.16.1.0/24
-
Branch-B: 172.16.2.0/24
-
-
-
HQ_LAN
-
Name: HQ_LAN
-
IP/Netmask: 172.16.0.0/24
-
-
Enter a Change Note and click OK to save.
-
To create the branch policy:
-
In Policy Packages, select the Branches policy package and click Create New.
-
Set the following values:
Field
Value
Name
Branch to HQ
Incoming Interface
LAN
Outgoing Interface
IPsec
IPv4 Source Address
Branch_LAN
IPv4 Destination Address
HQ_LAN
Action
Accept
-
Click OK to save.
To create the HUB policy:
-
In Policy Packages, select the HUB policy package and click Create New.
-
Set the following values:
Field
Value
Name
Branches to HQ
Incoming Interface
IPsec
Outgoing Interface
LAN
IPv4 Source Address
Overlay tunnels
IPv4 Destination Address
HQ_LAN
Action
Accept
-
Click OK to save.
To install the policy packages:
FortiManager can only install one policy package at a time, so install each policy package in turn. The IPsec tunnel template configuration will be installed along with the policy package.
For more information about installing policies and policy packages, see Install a policy package.