Fortinet black logo

Administration Guide

Creating managed gateways

Creating managed gateways

The settings available when creating a managed gateway depend on the VPN topology type, and how the gateway is configured.

Managed gateways are managed by FortiManager in the current ADOM. Devices in a different ADOM can be treated as external gateways. VPN configuration must be handled manually by the administrator in that ADOM. See Creating external gateways.

To create a managed gateway:
  1. Go to VPN Manager > IPsec VPN.
  2. Select a community from the communities dropdown in the toolbar, or double-click on a community in the list.
  3. On the community information content pane, in the toolbar, select Create New > Managed Gateway.

    The VPN Gateway Setup Wizard opens.

  4. Proceed through the five pages of the wizard, filling in the following values as required, then click OK to create the managed gateway.

    Protected Subnet

    Select a protected subnet from the drop-down list.

    Role

    Select the role of this gateway: Hub or Spoke.

    This option is only available for star and dial up VPN topologies.

    Device

    Select a Device or Device Group from the drop-down list.

    Default VPN Interface

    Select the interface to use for this gateway from the drop-down list.

    Hub-to-Hub Interface

    Select the interface to use for hub to hub communication. This is required if there are multiple hubs.

    This option is only available for star and dial up topologies with the role set to Hub.

    Local Gateway

    Enter the local gateway IP address.

    Local ID

    Enter a local ID.

    Routing

    Select the routing method: Manual (via Device Manager), or Automatic.

    Summary Network(s)

    Select the network from the dropdown list and select the priority. Click the add icon to add more entries.

    This option is only available for star and dial up topologies with the role set to Hub.

    Peer Type

    Select one of the following:

    • Accept any peer ID
    • Accept this peer ID: Enter the peer ID in the text field
    • Accept a dialup group: Select a group from the drop-down list
    • Accept peer: Select a peer from the dropdown list
    • Accept peer group: Select a peer group from the drop-down list

    A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect.

    When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.

    The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID.

    This option is only available for dial up topologies.

    XAUTH Type

    Select the XAUTH type: Disable, PAP Server, CHAP Server, or AUTO Server.

    This option is only available for dial up topologies.

    User Group

    Select the authentication user group from the dropdown list.

    This field is available when XAUTH Type is set to PAP Server, CHAP Server, or AUTO Server.

    When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross referenced.

    Enable IKE Configuration Method ("mode config")

    Select to enable or disable IKE configuration method.

    This option is only available for dial up topologies.

    Enable IP Assignment

    Select to enable or disable IP assignment.

    This option is only available for dial up topologies. When the role is set to Hub, this option is only available when Enable IKE Configuration Method is on.

    IP Assignment Mode

    Select the IP assignment mode: Range or User Group.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IP Assignment Type

    Select the IP assignment type: IP or Subnet.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IPv4 Start IP

    Enter the IPv4 start IP address.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IPv4 End IP

    Enter the IPv4 end IP address.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IPv4 Netmask

    Enter the IPv4 netmask.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    Add Route

    Select to enable or disable adding a route for this gateway.

    This option is only available for dial up topologies.

    DNS Server #1 to #3

    Enter the DNS server IP addresses to provide IKE Configuration Method to clients.

    This option is only available for dial up topologies with the role set to Hub and either Enable IKE Configuration Method turned on, or DNS Service is set to Specify.

    WINS Server #1 and #2

    Enter the WINS server IP addresses to provide IKE Configuration Method to clients.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned on.

    IPv4 Split include

    Select the address or address group from the dropdown list.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned on.

    Exclusive IP Range

    Enter the start and end IP addresses of the exclusive IP address range. Click the add icon to add more entries.

    This option is only available for dial up topologies with the role set to Hub and either Enable IKE Configuration Method and Enable IP Assignment turned on, or Enable IKE Configuration Method turned off.

    DHCP Server

    Select to enable or disable DHCP server.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method is off.

    Default Gateway

    Enter the default gateway IP address.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    DNS Service

    Select Use System DNS setting to use the system's DNS settings, or Specify to specify DNS servers #1 to #3.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    Netmask

    Enter the netmask.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    IPsec Lease Hold

    Enter the IPsec lease hold time.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    Auto-Configuration

    Select to enable or disable automatic configuration.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    DHCP Server IP Range

    Enter the start and end IP addresses of the DHCP server range. Click the add icon to add more entries.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    Advanced Options

    authpasswd

    Enter the XAuth client password for the FortiGate.

    authusr

    Enter the XAuth client user name for the FortiGate.

    banner

    Enter the banner value.

    Specify the message to send to IKE Configuration Method clients. Some clients display this message to users.

    dns-mode

    Select the DNS mode from the dropdown list:

    • auto: Assign DNS servers in the following order:
    1. Servers assigned to interfaces by DHCP
    2. Per-VDOM assigned DNS servers
    3. Global DNS servers
  5. manual: Use the DNS servers specified in DNS Server #1 to #3.
  6. domain

    Enter the domain value.

    public-ip

    Enter the public IP address.

    Use this field to configure a VPN with dynamic interfaces. The value is the dynamically assigned PPPoE address that remains static and does not change over time.

    route-overlap

    Select the route overlap method from the dropdown list: allow, use-new, or use-old.

    spoke-zone

    Select a spoke zone from the dropdown list.

    unity-support

    Enable or disable unity support.

    vpn-interface-priority

    Set the VPN gateway interface priority. The default value is 1.

    vpn-zone

    Select a VPN zone from the dropdown list.

Creating managed gateways

The settings available when creating a managed gateway depend on the VPN topology type, and how the gateway is configured.

Managed gateways are managed by FortiManager in the current ADOM. Devices in a different ADOM can be treated as external gateways. VPN configuration must be handled manually by the administrator in that ADOM. See Creating external gateways.

To create a managed gateway:
  1. Go to VPN Manager > IPsec VPN.
  2. Select a community from the communities dropdown in the toolbar, or double-click on a community in the list.
  3. On the community information content pane, in the toolbar, select Create New > Managed Gateway.

    The VPN Gateway Setup Wizard opens.

  4. Proceed through the five pages of the wizard, filling in the following values as required, then click OK to create the managed gateway.

    Protected Subnet

    Select a protected subnet from the drop-down list.

    Role

    Select the role of this gateway: Hub or Spoke.

    This option is only available for star and dial up VPN topologies.

    Device

    Select a Device or Device Group from the drop-down list.

    Default VPN Interface

    Select the interface to use for this gateway from the drop-down list.

    Hub-to-Hub Interface

    Select the interface to use for hub to hub communication. This is required if there are multiple hubs.

    This option is only available for star and dial up topologies with the role set to Hub.

    Local Gateway

    Enter the local gateway IP address.

    Local ID

    Enter a local ID.

    Routing

    Select the routing method: Manual (via Device Manager), or Automatic.

    Summary Network(s)

    Select the network from the dropdown list and select the priority. Click the add icon to add more entries.

    This option is only available for star and dial up topologies with the role set to Hub.

    Peer Type

    Select one of the following:

    • Accept any peer ID
    • Accept this peer ID: Enter the peer ID in the text field
    • Accept a dialup group: Select a group from the drop-down list
    • Accept peer: Select a peer from the dropdown list
    • Accept peer group: Select a peer group from the drop-down list

    A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect.

    When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.

    The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID.

    This option is only available for dial up topologies.

    XAUTH Type

    Select the XAUTH type: Disable, PAP Server, CHAP Server, or AUTO Server.

    This option is only available for dial up topologies.

    User Group

    Select the authentication user group from the dropdown list.

    This field is available when XAUTH Type is set to PAP Server, CHAP Server, or AUTO Server.

    When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross referenced.

    Enable IKE Configuration Method ("mode config")

    Select to enable or disable IKE configuration method.

    This option is only available for dial up topologies.

    Enable IP Assignment

    Select to enable or disable IP assignment.

    This option is only available for dial up topologies. When the role is set to Hub, this option is only available when Enable IKE Configuration Method is on.

    IP Assignment Mode

    Select the IP assignment mode: Range or User Group.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IP Assignment Type

    Select the IP assignment type: IP or Subnet.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IPv4 Start IP

    Enter the IPv4 start IP address.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IPv4 End IP

    Enter the IPv4 end IP address.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    IPv4 Netmask

    Enter the IPv4 netmask.

    This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.

    Add Route

    Select to enable or disable adding a route for this gateway.

    This option is only available for dial up topologies.

    DNS Server #1 to #3

    Enter the DNS server IP addresses to provide IKE Configuration Method to clients.

    This option is only available for dial up topologies with the role set to Hub and either Enable IKE Configuration Method turned on, or DNS Service is set to Specify.

    WINS Server #1 and #2

    Enter the WINS server IP addresses to provide IKE Configuration Method to clients.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned on.

    IPv4 Split include

    Select the address or address group from the dropdown list.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned on.

    Exclusive IP Range

    Enter the start and end IP addresses of the exclusive IP address range. Click the add icon to add more entries.

    This option is only available for dial up topologies with the role set to Hub and either Enable IKE Configuration Method and Enable IP Assignment turned on, or Enable IKE Configuration Method turned off.

    DHCP Server

    Select to enable or disable DHCP server.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method is off.

    Default Gateway

    Enter the default gateway IP address.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    DNS Service

    Select Use System DNS setting to use the system's DNS settings, or Specify to specify DNS servers #1 to #3.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    Netmask

    Enter the netmask.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    IPsec Lease Hold

    Enter the IPsec lease hold time.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    Auto-Configuration

    Select to enable or disable automatic configuration.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    DHCP Server IP Range

    Enter the start and end IP addresses of the DHCP server range. Click the add icon to add more entries.

    This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.

    Advanced Options

    authpasswd

    Enter the XAuth client password for the FortiGate.

    authusr

    Enter the XAuth client user name for the FortiGate.

    banner

    Enter the banner value.

    Specify the message to send to IKE Configuration Method clients. Some clients display this message to users.

    dns-mode

    Select the DNS mode from the dropdown list:

    • auto: Assign DNS servers in the following order:
    1. Servers assigned to interfaces by DHCP
    2. Per-VDOM assigned DNS servers
    3. Global DNS servers
  5. manual: Use the DNS servers specified in DNS Server #1 to #3.
  6. domain

    Enter the domain value.

    public-ip

    Enter the public IP address.

    Use this field to configure a VPN with dynamic interfaces. The value is the dynamically assigned PPPoE address that remains static and does not change over time.

    route-overlap

    Select the route overlap method from the dropdown list: allow, use-new, or use-old.

    spoke-zone

    Select a spoke zone from the dropdown list.

    unity-support

    Enable or disable unity support.

    vpn-interface-priority

    Set the VPN gateway interface priority. The default value is 1.

    vpn-zone

    Select a VPN zone from the dropdown list.