Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM

Configure the cloud FortiGate-VM

To create an address for the VPN gateway:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to local_subnet_10_0_2_0.
  3. Set IP/Netmask to

  4. Click OK.
To configure a custom IPsec VPN:
  1. Go to VPN > IPsec Wizard.

  2. Set Name to Core_Dialup.

  3. Set Template type to Custom.

  4. Click Next.

  5. Configure Network settings:

    Remote Gateway

    Dialup User



    NAT Traversal


  6. Configure Authentication settings:


    Pre-shared Key

    Pre-shared Key

    Enter the pre-shared key.

    Version 1



    This setting allows the peer ID to be specified.

    Accept Types

    Specific peer ID

    Peer ID


    The other end of the tunnel needs to have its local ID set to IaaS.

  7. Leave the default Phase 1 Proposal settings and disable XAUTH.

  8. Configure the Phase 2 Selector settings:



    Local Address

    Named Address - local_subnet_10_0_2_0

    Remote Address

    Named Address - all

    This setting allows traffic originating from both the remote subnet and the health checks from the VPN interface on the remote FortiGate. For increased security, each subnet can be specified individually.

  9. Click OK.

To configure remote and local tunnel IP addresses:
  1. Go to Network > Interfaces and edit the Core_Dialup interface under port1.
  2. Set IP to
  3. Set Remote IP/Netmask to This is where remote health check traffic will come from.
  4. Enable Administrative access for HTTPS, PING, and SSH.

  5. Click OK.
To configure a route to the remote subnet through the tunnel:
  1. Go to Network > Static Routes and click Create New.

  2. Set Destination to Subnet and enter the IP address and netmask:

  3. Set Interface to Core_Dialup.

  4. Click OK.

To configure a firewall policy to allow traffic from the tunnel to port2:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following:



    Incoming Interface


    Outgoing Interface