Creating managed gateways
The settings available when creating a managed gateway depend on the VPN topology type, and how the gateway is configured.
Managed gateways are managed by FortiManager in the current ADOM. Devices in a different ADOM can be treated as external gateways. VPN configuration must be handled manually by the administrator in that ADOM. See Creating external gateways.
To create a managed gateway:
- Go to VPN Manager > IPsec VPN.
- Select a community from the communities dropdown in the toolbar, or double-click on a community in the list.
- On the community information content pane, in the toolbar, select Create New > Managed Gateway.
The VPN Gateway Setup Wizard opens.
- Proceed through the five pages of the wizard, filling in the following values as required, then click OK to create the managed gateway.
Protected Subnet
Select a protected subnet from the drop-down list.
Role
Select the role of this gateway: Hub or Spoke.
This option is only available for star and dial up VPN topologies.
Device
Select a Device or Device Group from the drop-down list.
Default VPN Interface
Select the interface to use for this gateway from the drop-down list.
Hub-to-Hub Interface
Select the interface to use for hub to hub communication. This is required if there are multiple hubs.
This option is only available for star and dial up topologies with the role set to Hub.
Local Gateway
Enter the local gateway IP address.
Local ID
Enter a local ID.
Routing
Select the routing method: Manual (via Device Manager), or Automatic.
Summary Network(s)
Select the network from the dropdown list and select the priority. Click the add icon to add more entries.
This option is only available for star and dial up topologies with the role set to Hub.
Peer Type
Select one of the following:
- Accept any peer ID
- Accept this peer ID: Enter the peer ID in the text field
- Accept a dialup group: Select a group from the drop-down list
- Accept peer: Select a peer from the dropdown list
- Accept peer group: Select a peer group from the drop-down list
A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect.
When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.
The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID.
This option is only available for dial up topologies.
XAUTH Type
Select the XAUTH type: Disable, PAP Server, CHAP Server, or AUTO Server.
This option is only available for dial up topologies.
User Group
Select the authentication user group from the dropdown list.
This field is available when XAUTH Type is set to PAP Server, CHAP Server, or AUTO Server.
When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross referenced.
Enable IKE Configuration Method ("mode config")
Select to enable or disable IKE configuration method.
This option is only available for dial up topologies.
Enable IP Assignment
Select to enable or disable IP assignment.
This option is only available for dial up topologies. When the role is set to Hub, this option is only available when Enable IKE Configuration Method is on.
IP Assignment Mode
Select the IP assignment mode: Range or User Group.
This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.
IP Assignment Type
Select the IP assignment type: IP or Subnet.
This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.
IPv4 Start IP
Enter the IPv4 start IP address.
This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.
IPv4 End IP
Enter the IPv4 end IP address.
This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.
IPv4 Netmask
Enter the IPv4 netmask.
This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on.
Add Route
Select to enable or disable adding a route for this gateway.
This option is only available for dial up topologies.
DNS Server #1 to #3
Enter the DNS server IP addresses to provide IKE Configuration Method to clients.
This option is only available for dial up topologies with the role set to Hub and either Enable IKE Configuration Method turned on, or DNS Service is set to Specify.
WINS Server #1 and #2
Enter the WINS server IP addresses to provide IKE Configuration Method to clients.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned on.
IPv4 Split include
Select the address or address group from the dropdown list.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned on.
Exclusive IP Range
Enter the start and end IP addresses of the exclusive IP address range. Click the add icon to add more entries.
This option is only available for dial up topologies with the role set to Hub and either Enable IKE Configuration Method and Enable IP Assignment turned on, or Enable IKE Configuration Method turned off.
DHCP Server
Select to enable or disable DHCP server.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method is off.
Default Gateway
Enter the default gateway IP address.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.
DNS Service
Select Use System DNS setting to use the system's DNS settings, or Specify to specify DNS servers #1 to #3.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.
Netmask
Enter the netmask.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.
IPsec Lease Hold
Enter the IPsec lease hold time.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.
Auto-Configuration
Select to enable or disable automatic configuration.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.
DHCP Server IP Range
Enter the start and end IP addresses of the DHCP server range. Click the add icon to add more entries.
This option is only available for dial up topologies with the role set to Hub and Enable IKE Configuration Method turned off.
Advanced Options
authpasswd
Enter the XAuth client password for the FortiGate.
authusr
Enter the XAuth client user name for the FortiGate.
banner
Enter the banner value.
Specify the message to send to IKE Configuration Method clients. Some clients display this message to users.
dns-mode
Select the DNS mode from the dropdown list:
- auto: Assign DNS servers in the following order:
- Servers assigned to interfaces by DHCP
- Per-VDOM assigned DNS servers
- Global DNS servers
- manual: Use the DNS servers specified in DNS Server #1 to #3.
domain
Enter the domain value.
public-ip
Enter the public IP address.
Use this field to configure a VPN with dynamic interfaces. The value is the dynamically assigned PPPoE address that remains static and does not change over time.
route-overlap
Select the route overlap method from the dropdown list: allow, use-new, or use-old.
spoke-zone
Select a spoke zone from the dropdown list.
unity-support
Enable or disable unity support.
vpn-interface-priority
Set the VPN gateway interface priority. The default value is 1.
vpn-zone
Select a VPN zone from the dropdown list.