Creating external gateways
External gateways are not managed by the FortiManager device.
To create an external gateway:
- Go to VPN Manager > IPsec VPN > VPN Communities.
- Select a community from the communities dropdown in the toolbar, or double-click on a community in the list.
- On the community information content pane, in the toolbar, select Create New > External Gateway. The New VPN External Gateway pane opens.
- Configure the following settings, then click OK to create the external gateway:
Select either HUB or Spoke from the dropdown list.
This option is only available for star and dial up VPN topologies.
Enter the gateway name.
Select the gateway IP address from the dropdown list.
Select the hub IP address from the dropdown list.
This option is only available for star and dial up topologies with the role set to Hub.
Create Phase2 per Protected Subnet Pair
Toggle the switch to On to create a phase2 per protected subnet pair.
Select the routing method: Manual (via Device Manager, or Automatic.
This option is only available for full meshed and star topologies.
Select one of the following:
- Accept any peer ID
- Accept this peer ID: Enter the peer ID in the text field
- Accept a dialup group: Select a group from the dropdown list
A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect.
When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.
The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID.
This option is only available for dial up topologies.
Select a protected subnet from the list. You can add multiple subnets.
Enter the local gateway IP address.