Add VPN plans
FortiExtender Cloud lets you create IPsec VPN plans to connect branch offices to each other. After creating a VPN plan, you can add it to a profile to push it onto a device.
An IPsec VPN is established in two phases: Phase 1 and Phase 2.
Several parameters determine how this is done, except for IP addresses, the settings simply need to match at both VPN gateways.
There are defaults that are applicable for most cases.
When a FortiExtender unit receives a connection request from a remote VPN peer, it uses IPsec Phase-1 parameters to establish a secure connection and authenticate that VPN peer. Then, the FortiExtender unit establishes the tunnel using IPsec Phase-2 parameters. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed on both units:
- Define the Phase-1 parameters that the FortiExtender unit needs to authenticate the remote peer and establish a secure connection.
- Define the Phase-2 parameters that the FortiExtender unit needs to create a VPN tunnel with the remote peer.
- Create firewall policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses. See Create profiles
- Create a route to direct traffic to the tunnel interface.
To create a VPN plan:
-
In the navigation bar, go to Plan > VPN.
The VPN plan page loads.
-
In the upper-left corner of the page, click Add VPN Plan.
The Add VPN Plan window loads.
-
In the Plan Name field, enter a unique VPN plan name.
-
Click Add.
The VPN Plan Detail page loads.
-
Complete the following fields:
Field Name
Description
General Settings
Name
Change the VPN name if necessary.
Mode
Select which mode you want your VPN plan to run in.
-
plan — The VPN's source subnet destination subnet is automatically assigned based on the interface's network situation.
-
manual — Manually configure the source and destination subnet.
Phase 1
Name (manual mode) Enter a name for the Phase 1. Authentication Method Select an authentication method.
- psk — Authenticate using a pre-shared key.
- signature — Authenticate using a CA certificate. You can upload certificate from the VPN Ca page (see Upload certificates for VPN plans
Key Life Specify the time (in seconds) to wait before the Phase-1 encryption key expires. The valid range is 20 –172800. Ike Version Specify the IKE protocol version: 1 or 2.
Certificates (signature authentication)
Select a Certificate Authentication that you've uploaded (see Upload certificates for VPN plans.
PSK-Secret (psk authentication) Specify the pre-shared secret created when configuring the VPN client. Proposal
Select a Phase-1 proposal.
Dhgrp
Select one of the following DH groups:
- 1
- 2
- 5
- 14
Type
Select a remote gateway type:
-
static
-
ddns
Remote Gateway
Specify the IPv4 address of the remote gateway’s external interface.
Phase 2
Name (manual mode)
Enter a name for the Phase 2.
Proposal
Select a Phase-2 proposal.
PFS
Enable or Disable PFS.
Source Subnet (manual mode)
Enter the local proxy ID subnet.
Source Subnet Port
Enter the quick mode source port.
Note: The valid range is 1—65535. 0 means for all.
Destination Subnet (manual mode)
Enter the remote proxy ID subnet.
Destination Subnet Port
Enter the quick mode destination port.
Note: The valid range is 1—65535. 0 means for all.
Key Life Type
Select how you want to define the key life type:
-
seconds
-
kbs
Encapsulation
Select the ESP encapsulation mode:
-
tunnel-mode
-
transport-mode
Key Life Seconds
Define the Phase-2 key life time in seconds.
Note: The valid range is 120—172800.
Protocol
Quick mode protocol selector.
Note: The valid range is 1—255. 0 means for all.
Key Life Kbs
Define the Phase-2 key life time in Kbs.
Add Phase
You can add up to 10 phases as needed.
-
-
Click Save.
The new VPN plan is created. You can return to the VPN Plan page to see it.