Fortinet black logo

Handbook

Planning your VPN

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:231495
Download PDF

Planning your VPN

It is a good idea to plan the VPN configuration ahead of time. This will save time later and help you configure your VPN correctly.

All VPN configurations are comprised of numerous required and optional parameters. Before you begin, you need to determine:

  • Where the IP traffic originates and where it needs to be delivered
  • Which hosts, servers, or networks to include in the VPN
  • Which VPN devices to include in the configuration
  • Through which interfaces the VPN devices communicate
  • Through which interfaces do private networks access the VPN gateways

Once you have this information, you can select a VPN topology that suits the network environment.

Network topologies

The topology of your network will determine how remote peers and clients connect to the VPN and how VPN traffic is routed.

VPN network topologies and brief descriptions

Topology

Description

Gateway-to-gateway

Standard one-to-one VPN between two FortiGate units. See Gateway-to-gateway configuration.

Hub-and-spoke

One central FortiGate unit has multiple VPNs to other remote FortiGate units. See Hub-and-spoke configuration.

Dynamic DNS

One end of the VPN tunnel has a changing IP address and the other end must go to a dynamic DNS server for the current IP address before establishing a tunnel. See Dynamic DNS configuration.

FortiClient dialup-client

Typically remote FortiClient dialup-clients use dynamic IP addresses through NAT devices. The FortiGate unit acts as a dialup server allowing dialup VPN connections from multiple sources. See FortiClient dialup-client configuration.

FortiGate dialup-client

Similar to FortiClient dialup-client configurations but with more gateway-to-gateway settings such as unique user authentication for multiple users on a single VPN tunnel. See FortiGate dialup-client configuration.

Internet browsing

Secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. See Internet-browsing configuration.

Redundant VPN

Options for supporting redundant and partially redundant IPsec VPNs, using route-based approaches. See Redundant VPN configuration.

Transparent-mode VPN

In transparent mode, the FortiGate acts as a bridge with all incoming traffic being broadcast back out on all other interfaces. Routing and NAT must be performed on external routers. See Transparent-mode VPN configuration.

L2TP and IPsec (Microsoft VPN)

Configure VPN for Microsoft Windows dialup clients using the built in L2TP software. Users do not have to install any See L2TP and IPsec (Microsoft VPN).

These sections contain high-level configuration guidelines with cross-references to detailed configuration procedures. If you need more detail to complete a step, select the cross-reference in the step to drill-down to more detail. Return to the original procedure to complete the procedure. For a general overview of how to configure a VPN, see General preparation steps .

Planning your VPN

It is a good idea to plan the VPN configuration ahead of time. This will save time later and help you configure your VPN correctly.

All VPN configurations are comprised of numerous required and optional parameters. Before you begin, you need to determine:

  • Where the IP traffic originates and where it needs to be delivered
  • Which hosts, servers, or networks to include in the VPN
  • Which VPN devices to include in the configuration
  • Through which interfaces the VPN devices communicate
  • Through which interfaces do private networks access the VPN gateways

Once you have this information, you can select a VPN topology that suits the network environment.

Network topologies

The topology of your network will determine how remote peers and clients connect to the VPN and how VPN traffic is routed.

VPN network topologies and brief descriptions

Topology

Description

Gateway-to-gateway

Standard one-to-one VPN between two FortiGate units. See Gateway-to-gateway configuration.

Hub-and-spoke

One central FortiGate unit has multiple VPNs to other remote FortiGate units. See Hub-and-spoke configuration.

Dynamic DNS

One end of the VPN tunnel has a changing IP address and the other end must go to a dynamic DNS server for the current IP address before establishing a tunnel. See Dynamic DNS configuration.

FortiClient dialup-client

Typically remote FortiClient dialup-clients use dynamic IP addresses through NAT devices. The FortiGate unit acts as a dialup server allowing dialup VPN connections from multiple sources. See FortiClient dialup-client configuration.

FortiGate dialup-client

Similar to FortiClient dialup-client configurations but with more gateway-to-gateway settings such as unique user authentication for multiple users on a single VPN tunnel. See FortiGate dialup-client configuration.

Internet browsing

Secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. See Internet-browsing configuration.

Redundant VPN

Options for supporting redundant and partially redundant IPsec VPNs, using route-based approaches. See Redundant VPN configuration.

Transparent-mode VPN

In transparent mode, the FortiGate acts as a bridge with all incoming traffic being broadcast back out on all other interfaces. Routing and NAT must be performed on external routers. See Transparent-mode VPN configuration.

L2TP and IPsec (Microsoft VPN)

Configure VPN for Microsoft Windows dialup clients using the built in L2TP software. Users do not have to install any See L2TP and IPsec (Microsoft VPN).

These sections contain high-level configuration guidelines with cross-references to detailed configuration procedures. If you need more detail to complete a step, select the cross-reference in the step to drill-down to more detail. Return to the original procedure to complete the procedure. For a general overview of how to configure a VPN, see General preparation steps .