VPNs

This section contains information about creating and using a Virtual Private Network (VPN). The two main types of VPNs you can use with a FortiGate are IPsec and SSL.

All VPN recipes

Select your version of FortiOS:

  • Alan Monson

    I have a 60E that I have configured with multiple interfaces, each with 2-3 VLANS. I have done this so that all of our internal traffic does not traverse only a single port. This was also done because I was told that the 60E does not support link aggregation.

    When building a VPN, I am able to assign a single interface to the VPN. However, I will need that same VPN to also be able to access other interfaces. Is this possible? From what I have tried, even adding more policies that allow the VPN to traverse other interfaces, the VPN is never able to get to those interfaces. Only the one that it is pointed to in the initial setup.

  • Ali

    What is the maximum number of site to site VPN we can have in Fortigate 200D??

    We have around six branches n 1 head office. We are planning to put Fortigate 60d in branches and fortigate 200d at Head office. All branches should connect to head office via site to site vpn.

    Such a design is feasible? Any suggestions??
    What kind of issues i can face?

    • bdickie

      The Maximum Values Table for your firmware release and model shows the maximum number of IPsec VPN configurations that you can add. This is not a promise of performance, just the number you can configure. You can find the maximum values tables on the Reference Manuals page for your FortiOS release. http://docs.fortinet.com/fortigate/reference

      For comments about the feasibility of this design you could contact customer support.

  • Eddie

    I have seen a bunch of simple posts with quick answers online about setting up IPSEC VPN between two fortigates as a backup to MPLS. None of these posts give much detailed information about how to correctly accomplish this, and some reference using OSPF with BFD, while others try to get away with DGD. In an MPLS environment, we’re all going to want to see if a single peer goes down, only that peer fails over, not all peers failing over to VPN in the event of a single branch MPLS issue. I’m planning on putting my MPLS router on WAN2 while leaving Internet and IPSEC tunnels on WAN1 and need some sort of dynamic failover/back and am unsure what to use. Can someone make a recipie that encompasses all that is required to make this setup a reality? Is there anything needed to be supported by the MPLS ISP (AT&T) to make this work? …and can we also assume IPSEC VPN tunnels should be setup in a dynamic HUB and SPOKE method as well to keep everything as functional as possible?

  • Kevin Blanchette

    Hi,
    I am currently trying to set up a VPN on a DMZ, but except of having any any policy, i can get thru by opening the ports for either PPTP and L2TP.

    Is there any documentation that I can get on how to configure the fortigate to be able to connect to the vpn?

    Thanks

    • Keith Leroux

      Hi Kevin, sorry, I’m not aware of any documentation for L2TP/PPTP VPN on a DMZ, but if I can get the information I’ll try to build a recipe. You should contact Fortinet Support to see if they can assist you directly.
      https://support.fortinet.com/

  • mir

    HI ,
    An a Newbie.
    can any one help me on how to setup two FortiGates on VM to implement Site-to-Site VPN.

  • Florian

    Hello all,

    I would like to create à PPTP VPN on a Fortigate 5.4 GA. Is it possible ? How I can do it ?

    Thanks in advance !

  • StefanoF

    Hello all,

    I just created site to site tunnel to trainning but now i can’ t delete it.

    i just delete phase 2 static route and policy the reference of the vpn site2site is zero but i can’t delete the phase 1

    i have an fortigate 80C

    IDEA ?? help me

    • Hi Stefano, To delete the site-to-site VPN you need to delete everything associated with it. You also won’t be able to delete any part that is still being referenced by another part of the VPN. Usually I delete in the following order: security policies, firewall address groups, firewall addresses, static routes, and then the tunnel itself.

    • Jochen O

      Hi StefanoF,

      If the reference in the GUI is 0 this means it is most likely a CLI only object that is using the VPN interface.

      This might very well be OSPF for example. If a tunnel interface is located in the OSPF passive-interfaces it is still referenced, but because this is not shown in the GUI it will show 0.

      The fastest methods is backing up the configuration and find through the config file to see where it is referenced.

      In the CLI I would do the same using the ‘grep’ command.

  • Dee

    Hi

    Is there a limitation of VPN in terms of number of users connected to fortigate

  • AF

    Hi,

    I’m new to the VPN configuration. Need the advise from the expert.

    My FGT connected thru ADSL Modem (Not Bridged) and now i’m trying to configure the VPN Access. Can it be done in this kind of installation? I’m trying but it seem it cannot go thru (No Connection). Hope can advise.

    Thanks

    • Keith Leroux

      Hi AF,

      You should try to put your modem in bridge mode so that the FortiGate can get an external IP.

      • AF

        I try to but the things is i have 2 internet line. When i connected via bridged both to the FGT there is no internet connection. How can i solve this issue.

        • Keith Leroux

          Hello AF,

          I’m not entirely sure, so I recommend that you contact support at support.fortinet.com. Best of luck~