Configuring VPN Manager
We need to create two overlay connections to create two secure links to the datacenter and then implement SD-WAN among those links. In order to create the two overlay connections, we need to create VPN communities and add nodes to those communities, from the VPN Manager.
This section involves the following steps:
Creating VPN communities
We will use the dial-up topology to create the two overlays, one for the internet connection (OL_INET) and one for the MPLS network (OL_MPLS), by creating two VPN communities.
To create a VPN Community from the GUI:
- Go to VPN Manager > IPsec VPN.
- In the toolbar, click Create New. The VPN Topology Setup Wizard dialog appears.
- Enter a name for the topology, such as OL_INET.
- In the Choose VPN topology field, select Dial up.
- Click Next.
- Complete the setup as required in the wizard.
Ensure that VPN Zone is disabled while completing the dial-up topology setup. Enabling VPN Zone and setting it to Create Default Zones, creates a dynamic interface by default.
SD-WAN does not support dynamic interfaces.
- Click OK. The VPN community is created.
Similarly, create another VPN community called OL_MPLS for the MPLS network.
Adding nodes to VPN communities
Once we have created the OL_INET and OL_MPLS VPN communities, we need to add hub and spoke nodes to both these communities. The datacenter will act as a hub and the branches will act as spokes.
To add a branch to the OL_INET VPN community from the GUI:
- Go to VPN Manager > IPsec VPN.
- In the tree menu, click OL_INET.
- In the toolbar, click Create New > Managed Gateway. The VPN Gateway Setup Wizard - OL_INET dialog appears.
- Select a Protected Subnet, and click OK.
- Set the Role field to Spoke.
- Select a branch FortiGate from the Device dropdown, and click Next.
- Complete the setup as required in the wizard.
While completing the managed gateway setup:
- Ensure to toggle Enable IP Assignment to OFF.
- Ensure to toggle Add Route to OFF.
- Under Advanced Options, ensure to toggle net-device to OFF, and set the tunnel-search setting to nexthop.
- Click OK. The branch is added to the OL_INET VPN community.
Similarly, add the other branch to the OL_INET VPN community.
To add a hub to the OL_INET VPN community from the GUI:
- Go to VPN Manager > IPsec VPN.
- In the tree menu, click OL_INET.
- In the toolbar, click Create New > Managed Gateway. The VPN Gateway Setup Wizard - OL_INET dialog appears.
- Select a Protected Subnet, and click OK.
- Set the Role field to Hub.
- Select the datacenter FortiGate from the Device dropdown, and click Next.
- Complete the setup as required in the wizard.
While completing the managed gateway setup:
- Ensure to select Accept any peer ID for Peer Type.
- Ensure to toggle both Enable IKE Configuration Method and DHCP Server settings to OFF.
- Under Advanced Options, ensure to toggle net-device to OFF, and set the tunnel-search setting to nexthop.
- Click OK. The hub is added to the OL_INET VPN community.
Once you have added both the branches and the hub to the OL_INET VPN community, do the same for OL_MPLS VPN community as well.
Once you have configured the VPN Manager, your configuration should appear as follows:
