Fortinet black logo

Examples

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0

Adding gateways to VPN communities

Adding gateways to VPN communities

After you create the VPN communities named OL_INET and OL_MPLS, the next step is to add managed gateways to the communities.

Add the following gateways to each VPN community:

  • branch1_fgt
  • branch2_fgt
  • dc1_fgt
  • dc2_fgt

Add the hub devices one by one to each community. Each hub device has different IP ranges defined for the IKE Config Mode (see the table below).

Use the following parameters for each hub device:

Parameter

Value

Protected Subnet

All

Role

Hub

Default VPN Interface

Underlay port

port1 for OL_INET and port4 for OL_MPLS

Routing

Manual

Peer Type

Accept any peer type

IKE Config Mode

ON

Hubs will assign tunnel IP addresses to Spokes

IPv4 Start/End/Mask

10.200.<overlay-id>.1-9/24

Add Route

OFF

No static route injection. Routing will be handled by BGP.

net-device

OFF

tunnel-search

nexthop

Use the following parameters for each spoke device:

Parameter

Value

Protected Subnet

All

Role

Spoke

Default VPN Interface

Underlay port

port1 for OL_INET and port4 for OL_MPLS

Routing

Manual

IKE Config Mode

ON

Hubs will assign tunnel IP addresses to Spokes

Add Route

OFF

No static route injection. Routing will be handled by BGP.

net-device

OFF
To add a gateway to the OL_INET VPN community from the GUI:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, double-click OL_INET to open it for editing.
  3. In the toolbar, click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard - OL_INET is displayed.

  4. On the Protected Network tab, set the following options, and click Next:
    1. Click Protected Subnet, select all, and click OK.
  5. On the Device tab, set the following options, and click Next.
    1. Set the Role field to Spoke.
    2. From the Device list, select a branch FortiGate.
  6. On the Default VPN Interface tab, set the following options, and click Next.
    1. In the Default VPN Interface list, select an underlay port.
  7. On the Local Gateway tab, click Next to accept the defaults.
  8. On the Advanced tab, set the following options, and click OK:
    1. Beside Routing, select Manual (via Device Manager).
    2. Beside Enable IKE Configuration Method ("mode config"), toggle ON.
    3. Beside Add Route, toggle OFF.
    4. Under Advanced Options, set net-device to OFF.

    The branch is added to the OL_INET VPN community.

Similarly, add the other branch to the OL_INET VPN community.

To add a hub to the OL_INET VPN community from the GUI:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, click OL_INET.
  3. In the toolbar, click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard - OL_INET is displayed.

  4. On the Protected Network tab, set the following options, and click Next:
    1. Click Protected Subnet, select all, and click OK.
  5. On the Device tab, set the following options, and click Next.
    1. Set the Role field to Hub.
    2. From the Device list, select a hub FortiGate.
  6. On the Default VPN Interface tab, set the following options, and click Next.
    1. In the Default VPN Interface list, select an underlay port.
  7. On the Local Gateway tab, click Next to accept the defaults.
  8. On the Advanced tab, set the following options, and click OK:
    1. Beside Routing, select Manual (via Device Manager).
    2. Beside Peer Type, select Accept any peer ID.
    3. Beside Enable IKE Configuration Method ("mode config"), toggle ON.
    4. In the IPv4 Start IP box, type the start of the IP range.
    5. In the IPv4 End IP box, type the end of the IP range.
    6. Beside Add Route, toggle OFF.
    7. Under Advanced Options, set net-device to OFF.
    8. Set tunnel-search to nexthop.

    The hub is added to the OL_INET VPN community.

Similarly, add the other hub to the OL_INET VPN community.

Once you have added both the branches and both hubs to the OL_INET VPN community, do the same for OL_MPLS VPN community as well.

Once you have configured the VPN Manager, your configuration should appear as follows:

Previous
Next

Adding gateways to VPN communities

After you create the VPN communities named OL_INET and OL_MPLS, the next step is to add managed gateways to the communities.

Add the following gateways to each VPN community:

  • branch1_fgt
  • branch2_fgt
  • dc1_fgt
  • dc2_fgt

Add the hub devices one by one to each community. Each hub device has different IP ranges defined for the IKE Config Mode (see the table below).

Use the following parameters for each hub device:

Parameter

Value

Protected Subnet

All

Role

Hub

Default VPN Interface

Underlay port

port1 for OL_INET and port4 for OL_MPLS

Routing

Manual

Peer Type

Accept any peer type

IKE Config Mode

ON

Hubs will assign tunnel IP addresses to Spokes

IPv4 Start/End/Mask

10.200.<overlay-id>.1-9/24

Add Route

OFF

No static route injection. Routing will be handled by BGP.

net-device

OFF

tunnel-search

nexthop

Use the following parameters for each spoke device:

Parameter

Value

Protected Subnet

All

Role

Spoke

Default VPN Interface

Underlay port

port1 for OL_INET and port4 for OL_MPLS

Routing

Manual

IKE Config Mode

ON

Hubs will assign tunnel IP addresses to Spokes

Add Route

OFF

No static route injection. Routing will be handled by BGP.

net-device

OFF
To add a gateway to the OL_INET VPN community from the GUI:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, double-click OL_INET to open it for editing.
  3. In the toolbar, click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard - OL_INET is displayed.

  4. On the Protected Network tab, set the following options, and click Next:
    1. Click Protected Subnet, select all, and click OK.
  5. On the Device tab, set the following options, and click Next.
    1. Set the Role field to Spoke.
    2. From the Device list, select a branch FortiGate.
  6. On the Default VPN Interface tab, set the following options, and click Next.
    1. In the Default VPN Interface list, select an underlay port.
  7. On the Local Gateway tab, click Next to accept the defaults.
  8. On the Advanced tab, set the following options, and click OK:
    1. Beside Routing, select Manual (via Device Manager).
    2. Beside Enable IKE Configuration Method ("mode config"), toggle ON.
    3. Beside Add Route, toggle OFF.
    4. Under Advanced Options, set net-device to OFF.

    The branch is added to the OL_INET VPN community.

Similarly, add the other branch to the OL_INET VPN community.

To add a hub to the OL_INET VPN community from the GUI:
  1. Go to VPN Manager > IPsec VPN.
  2. In the tree menu, click OL_INET.
  3. In the toolbar, click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard - OL_INET is displayed.

  4. On the Protected Network tab, set the following options, and click Next:
    1. Click Protected Subnet, select all, and click OK.
  5. On the Device tab, set the following options, and click Next.
    1. Set the Role field to Hub.
    2. From the Device list, select a hub FortiGate.
  6. On the Default VPN Interface tab, set the following options, and click Next.
    1. In the Default VPN Interface list, select an underlay port.
  7. On the Local Gateway tab, click Next to accept the defaults.
  8. On the Advanced tab, set the following options, and click OK:
    1. Beside Routing, select Manual (via Device Manager).
    2. Beside Peer Type, select Accept any peer ID.
    3. Beside Enable IKE Configuration Method ("mode config"), toggle ON.
    4. In the IPv4 Start IP box, type the start of the IP range.
    5. In the IPv4 End IP box, type the end of the IP range.
    6. Beside Add Route, toggle OFF.
    7. Under Advanced Options, set net-device to OFF.
    8. Set tunnel-search to nexthop.

    The hub is added to the OL_INET VPN community.

Similarly, add the other hub to the OL_INET VPN community.

Once you have added both the branches and both hubs to the OL_INET VPN community, do the same for OL_MPLS VPN community as well.

Once you have configured the VPN Manager, your configuration should appear as follows:

Previous
Next