Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs
    6.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring overlay

    Configuring overlay

    Here we double the existing configuration and create two VPN tunnels from each underlay to each hub, resulting in four tunnels total.

    Following is a summary of how to configure the overlay:

    1. Edit the existing overlay template, or create a new overlay CLI template. See Creating an overlay template.

      With 2 hubs, each underlay will establish 2 VPN tunnels from each WAN connection.

    2. Create the four new Meta Fields in FortiManager for the new tunnels. See Creating Meta Fields.
    3. Create a new template group and add this template (or if reusing, skip this step). See Creating a template group.

    Creating an overlay template

    Create (or import) a new CLI template called 01-Edge-DualHub-Overlay.conf.

    As in the basic single-Hub configuration, this CLI template will configure static IPSEC overlay tunnels that the Edge devices will establish to the Hubs - this time to both of them. We will follow the same guidelines described in the previous chapter.

    Here is the content of this CLI Template in our example topology:

    config vpn ipsec phase1-interface

    edit "H1_INET"

    set interface $(inet-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h1-inet-id)

    set remote-gw $(h1-inet-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    edit "H1_MPLS"

    set interface $(mpls-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h1-mpls-id)

    set remote-gw $(h1-mpls-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    edit "H2_INET"

    set interface $(inet-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h2-inet-id)

    set remote-gw $(h2-inet-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    edit "H2_MPLS"

    set interface $(mpls-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h2-mpls-id)

    set remote-gw $(h2-mpls-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    end

    config vpn ipsec phase2-interface

    edit "H1_INET"

    set phase1name "H1_INET"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    edit "H1_MPLS"

    set phase1name "H1_MPLS"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    edit "H2_INET"

    set phase1name "H2_INET"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    edit "H2_MPLS"

    set phase1name "H2_MPLS"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    end

    config system interface

    edit "H1_INET"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(inet-intf)

    next

    edit "H1_MPLS"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(mpls-intf)

    next

    edit "H2_INET"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(inet-intf)

    next

    edit "H2_MPLS"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(mpls-intf)

    next

    end

    Creating Meta Fields

    You will notice the following additional Meta Fields used:

    Meta Field

    Description

    h2-inet-id

    Network ID for the Internet overlay, as defined on the Secondary Hub

    h2-inet-ip

    Underlay (WAN) IP of the Internet link on the Secondary Hub

    h2-mpls-id

    Network ID for the MPLS overlay, as defined on the Secondary Hub

    h2-mpls-ip

    Underlay (WAN) IP of the MPLS link on the Secondary Hub
    To create Meta Fields:
    1. Navigate to System Settings > Advanced > Meta Fields, and create the missing Meta Fields listed in the table above. All the Meta Fields must be of type Device and defined as Optional.

    Creating a template group

    To create a new CLI Template Group:
    1. Create a new CLI Template Group called Edge-DualHub-Template, and add the overlay CLI template to it.

    Previous
    Next

    Configuring overlay

    Configuring overlay

    Here we double the existing configuration and create two VPN tunnels from each underlay to each hub, resulting in four tunnels total.

    Following is a summary of how to configure the overlay:

    1. Edit the existing overlay template, or create a new overlay CLI template. See Creating an overlay template.

      With 2 hubs, each underlay will establish 2 VPN tunnels from each WAN connection.

    2. Create the four new Meta Fields in FortiManager for the new tunnels. See Creating Meta Fields.
    3. Create a new template group and add this template (or if reusing, skip this step). See Creating a template group.

    Creating an overlay template

    Create (or import) a new CLI template called 01-Edge-DualHub-Overlay.conf.

    As in the basic single-Hub configuration, this CLI template will configure static IPSEC overlay tunnels that the Edge devices will establish to the Hubs - this time to both of them. We will follow the same guidelines described in the previous chapter.

    Here is the content of this CLI Template in our example topology:

    config vpn ipsec phase1-interface

    edit "H1_INET"

    set interface $(inet-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h1-inet-id)

    set remote-gw $(h1-inet-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    edit "H1_MPLS"

    set interface $(mpls-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h1-mpls-id)

    set remote-gw $(h1-mpls-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    edit "H2_INET"

    set interface $(inet-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h2-inet-id)

    set remote-gw $(h2-inet-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    edit "H2_MPLS"

    set interface $(mpls-intf)

    set ike-version 2

    set authmethod signature

    set keylife 28800

    set peertype any

    set net-device enable

    set mode-cfg enable

    set proposal aes256-sha256

    set add-route disable

    set idle-timeout enable

    set auto-discovery-receiver enable

    set auto-discovery-shortcuts dependent

    set network-overlay enable

    set network-id $(h2-mpls-id)

    set remote-gw $(h2-mpls-ip)

    set certificate "Edge"

    set dpd-retrycount 3

    set dpd-retryinterval 5

    set dpd on-idle

    next

    end

    config vpn ipsec phase2-interface

    edit "H1_INET"

    set phase1name "H1_INET"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    edit "H1_MPLS"

    set phase1name "H1_MPLS"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    edit "H2_INET"

    set phase1name "H2_INET"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    edit "H2_MPLS"

    set phase1name "H2_MPLS"

    set proposal aes256-sha256

    set keepalive enable

    set keylifeseconds 3600

    next

    end

    config system interface

    edit "H1_INET"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(inet-intf)

    next

    edit "H1_MPLS"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(mpls-intf)

    next

    edit "H2_INET"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(inet-intf)

    next

    edit "H2_MPLS"

    set vdom "root"

    set allowaccess ping

    set type tunnel

    set interface $(mpls-intf)

    next

    end

    Creating Meta Fields

    You will notice the following additional Meta Fields used:

    Meta Field

    Description

    h2-inet-id

    Network ID for the Internet overlay, as defined on the Secondary Hub

    h2-inet-ip

    Underlay (WAN) IP of the Internet link on the Secondary Hub

    h2-mpls-id

    Network ID for the MPLS overlay, as defined on the Secondary Hub

    h2-mpls-ip

    Underlay (WAN) IP of the MPLS link on the Secondary Hub
    To create Meta Fields:
    1. Navigate to System Settings > Advanced > Meta Fields, and create the missing Meta Fields listed in the table above. All the Meta Fields must be of type Device and defined as Optional.

    Creating a template group

    To create a new CLI Template Group:
    1. Create a new CLI Template Group called Edge-DualHub-Template, and add the overlay CLI template to it.

    Previous
    Next