Fortinet black logo

Administration Guide

IPsec tunnel template example

IPsec tunnel template example

The following example demonstrates the IPsec template features with the following assumptions:

  • All three FortiGates are added in FortiManager without prior configuration.

    • The branch FortiGates are added to a Branches device group. See Adding custom device groups.

    • The hub HQ device is added to a HUB device group.

  • Each FortiGate uses port2 as the WAN and port4 as LAN.

    • These names are added as aliases.

  • The WAN interface is configured as the default gateway (0.0.0.0/0) with a static route (you may use DHCP to receive the default route).

  • Only the necessary policies for the VPN connections are specified.

    • Branch FortiGates use the Branches policy package.

    • HQ FortiGate uses the HUB policy package.

  • Static routes are used to direct traffic over the VPN tunnels.

  • Auto Discovery VPN (ADVPN) is not configured.

    • ADVPN may be enabled in the HUB_IPsec_Recommended or BRANCH_IPsec_Recommended recommended templates during activation, or it may be enabled in advanced settings after activation in any IPsec template.

    • See ADVPN in the FortiGate Administration Guide for more details.

  • Policies only allow traffic from the branches to the hub.

    • You may wish to create policies in each Branch and HUB policy package to allow traffic from the hub to the branches.

  • A metadata variable branch_id is used in the configuration. See ADOM-level metadata variables.

    • The branch_id allows you to dynamically configure each branch’s LAN subnet as follows:

      • 192.168.branch_id.0 = 192.168.1.0, 192.168.2.0, and so on.

  • Set branch_id value for each branch

    • Branch-A: 1.

    • Branch-B: 2.

  • The below topology outlines the connected networks for each FortiGate.

    Once configured, the overlay will look like the following topology.

IPsec tunnel template example

The following example demonstrates the IPsec template features with the following assumptions:

  • All three FortiGates are added in FortiManager without prior configuration.

    • The branch FortiGates are added to a Branches device group. See Adding custom device groups.

    • The hub HQ device is added to a HUB device group.

  • Each FortiGate uses port2 as the WAN and port4 as LAN.

    • These names are added as aliases.

  • The WAN interface is configured as the default gateway (0.0.0.0/0) with a static route (you may use DHCP to receive the default route).

  • Only the necessary policies for the VPN connections are specified.

    • Branch FortiGates use the Branches policy package.

    • HQ FortiGate uses the HUB policy package.

  • Static routes are used to direct traffic over the VPN tunnels.

  • Auto Discovery VPN (ADVPN) is not configured.

    • ADVPN may be enabled in the HUB_IPsec_Recommended or BRANCH_IPsec_Recommended recommended templates during activation, or it may be enabled in advanced settings after activation in any IPsec template.

    • See ADVPN in the FortiGate Administration Guide for more details.

  • Policies only allow traffic from the branches to the hub.

    • You may wish to create policies in each Branch and HUB policy package to allow traffic from the hub to the branches.

  • A metadata variable branch_id is used in the configuration. See ADOM-level metadata variables.

    • The branch_id allows you to dynamically configure each branch’s LAN subnet as follows:

      • 192.168.branch_id.0 = 192.168.1.0, 192.168.2.0, and so on.

  • Set branch_id value for each branch

    • Branch-A: 1.

    • Branch-B: 2.

  • The below topology outlines the connected networks for each FortiGate.

    Once configured, the overlay will look like the following topology.