FortiManager: Configure a Full Mesh VPN Topology within VPN Console

This is an example on how to configure a simple full mesh VPN with:

  • Three FortiGate (FGT) devices
  • Pre-shared key for authentication
  • Auto-up tunnel setting
  • Static Routes

1. Add FortiGate Devices and Map all Interfaces

Go to Device Manager, and add three FortiGate devices, by clicking Add Device. Follow the wizard to add each device.

Go to Policy & Objects > Policy Packages and define Zone interfaces.

Go to Device Manager and select a device.

Go to System: Interface and map interfaces to the Zone interfaces.

 step-1

2. Create Firewall Address for Protected Subnets

Go to Policy & Objects > Object Configurations > Firewall Objects > Address to manage the firewall addresses.

VPN only supports firewall address with the type set to subnet (IP/Netmask). The firewall addresses will be used as protected subnets to generate static routes among the FortiGate devices.

 step-2

3. Create a VPN Community

Go to VPN Manager > VPN Community list > Create New.

Set the VPN topology type to Full Meshed.

 step-3a

Define the authentication method with a pre-shared key.

Specify encryption and hash methods.

 step-3b

After defining authentication methods and encryption properties, click Next.

Configure VPN Phase 1 and Phase 2 settings.

step-3c

For the IPSec Phase 2 setting, set the tunnel to Auto-Negotiate.

Optionally, under Advanced Options > the IKE version must be set to two in order to use IPv6 over tunnels.

 step-3d

VPN configuration summary:

 step-3e

4. Add VPN Gateway

Go to VPN Manager > VPN Community.

In the content pane, from the Create New menu, select Managed Gateway.

Add a Protected Network. There can be more than one protected networks.

 step-4a

Select a Device.

step-4b

Select a default VPN interface. The default VPN interface should have a valid IP and mapped.

step-4c

Optionally, specify the local gateway. This option can be left blank in most cases.

step-4d

Routing > select Automatic to generate static routes.
If Manual is selected, go to the Device Manager to set the IP on the relevant IPSec interfaces and define the routings manually.

step-4e

VPN gateway configuration settings summary:

step-4f

5. Create Firewall Policies

Go to Policy & Objects > Policy Packages to create policies among the default VPN zones and protected-subnet interfaces.

Use the Install-On option to restrict policies applied on specific FortiGate devices.

Do not forget to create policies for bi-directional traffic.

 step-5

For further FortiManager information, refer to the FortiManager Administration Guides available on the Fortinet Document Library.

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.