Verifying ADVPN configuration in FortiGate
When configuring the VPN manager, take into account that the final outcome you want to have on the FortiGate is shown the configurations below.
The configuration will be available on the FortiGates only after they are installed from FortiManager. The installation is described later in the guide. These configurations are required for ADVPN to work. At this point you don’t need to install the configurations on the FortiGates.
Example configurations
Branch FGT-6
config vpn ipsec phase1-interface
edit "OL_MPLS_0"
set interface "port3"
set ike-version 2
set comments "[created by FMG VPN Manager]"
set proposal aes128-sha256 aes256-sha256
set keylife 28800
set peertype any
set remote-gw 172.20.9.5
set net-device disable
set psksecret ENC ***
next
edit "OL_INET_0"
set interface "port2"
set ike-version 2
set comments "[created by FMG VPN Manager]"
set proposal aes128-sha256 aes256-sha256
set keylife 28800
set peertype any
set remote-gw 172.20.10.5
set net-device disable
set psksecret ENC ***
next
end
Branch FGT-7
Similar configuration as FGT-6
Datacenter DC-6
config vpn ipsec phase1-interface
edit "OL_MPLS_0"
set type dynamic
set interface "port3"
set ike-version 2
set dpd on-idle
set comments "[created by FMG VPN Manager]"
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set keylife 28800
set peertype any
set dpd-retryinterval 60
set net-device disable
set tunnel-search nexthop
set add-route disable
set psksecret ENC ***
next
edit "OL_INET_0"
set type dynamic
set interface "port2"
set ike-version 2
set dpd on-idle
set comments "[created by FMG VPN Manager]"
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set keylife 28800
set peertype any
set dpd-retryinterval 60
set net-device disable
set tunnel-search nexthop
set add-route disable
set psksecret ENC ***
next
end