Fortinet black logo

Administration Guide

Creating external gateways

Creating external gateways

External gateways are not managed by the FortiManager device.

To create an external gateway:
  1. Go to VPN Manager > IPsec VPN.
  2. Select a community from the tree menu, or double-click on a community in the list.
  3. On the community information content pane, in the toolbar, select Create New > External Gateway. The New VPN External Gateway pane opens.

  4. Configure the following settings, then click OK to create the external gateway:

    Node Type

    Select either HUB or Spoke from the dropdown list.

    This option is only available for star and dial up VPN topologies.

    Gateway Name

    Enter the gateway name.

    Gateway IP

    Select the gateway IP address from the dropdown list.

    Hub IP

    Select the hub IP address from the dropdown list.

    This option is only available for star and dial up topologies with the role set to Hub.

    Create Phase2 per Protected Subnet Pair

    Toggle the switch to On to create a phase2 per protected subnet pair.

    Routing

    Select the routing method: Manual (via Device Manager, or Automatic.

    This option is only available for full meshed and star topologies.

    Peer Type

    Select one of the following:

    • Accept any peer ID
    • Accept this peer ID: Enter the peer ID in the text field
    • Accept a dialup group: Select a group from the dropdown list

    A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect.

    When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.

    The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID.

    This option is only available for dial up topologies.

    Protected Subnet

    Select a protected subnet from the list. You can add multiple subnets.

    Local Gateway

    Enter the local gateway IP address.

Creating external gateways

External gateways are not managed by the FortiManager device.

To create an external gateway:
  1. Go to VPN Manager > IPsec VPN.
  2. Select a community from the tree menu, or double-click on a community in the list.
  3. On the community information content pane, in the toolbar, select Create New > External Gateway. The New VPN External Gateway pane opens.

  4. Configure the following settings, then click OK to create the external gateway:

    Node Type

    Select either HUB or Spoke from the dropdown list.

    This option is only available for star and dial up VPN topologies.

    Gateway Name

    Enter the gateway name.

    Gateway IP

    Select the gateway IP address from the dropdown list.

    Hub IP

    Select the hub IP address from the dropdown list.

    This option is only available for star and dial up topologies with the role set to Hub.

    Create Phase2 per Protected Subnet Pair

    Toggle the switch to On to create a phase2 per protected subnet pair.

    Routing

    Select the routing method: Manual (via Device Manager, or Automatic.

    This option is only available for full meshed and star topologies.

    Peer Type

    Select one of the following:

    • Accept any peer ID
    • Accept this peer ID: Enter the peer ID in the text field
    • Accept a dialup group: Select a group from the dropdown list

    A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect.

    When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.

    The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID.

    This option is only available for dial up topologies.

    Protected Subnet

    Select a protected subnet from the list. You can add multiple subnets.

    Local Gateway

    Enter the local gateway IP address.