- On HQ, go to VPN > IPsec Wizard and create a new tunnel.
In the VPN Setup section, set Template Type to Site to Site.
Set Remote Device Type to FortiGate.
Set NAT Configuration to No NAT between sites.
- In the Authentication section, set IP Address to the public IP address of the Branch FortiGate (in this example, 172.25.177.46).
After you enter the IP address, an interface is assigned as the Outgoing Interface. If you want to use a different interface, select it from the dropdown menu.
Set Authentication Method to Signature.
For the Certificate Name, select the client certificate (in this example, FortiGate-HQ).
For the Peer Certificate CA, select the CA certificate for Branch (in this example, CA_Cert_2).
- In the Policy & Routing section, set Local Interface to lan. The local subnet is added automatically.
Set Remote Subnets to Branch’s local subnet (in this example, 192.168.13.0/24).
- Review the configuration summary that shows the firewall addresses, static routes, and security policies.