Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Examples

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring a full mesh VPN topology within a VPN console

    Configuring a full mesh VPN topology within a VPN console

    This is an example on how to configure a simple full mesh VPN with:

    • Three FortiGate (FGT) devices
    • A pre-shared key for authentication
    • An auto-up tunnel setting
    • Static routes
    To configure a full mesh VPN topology within a VPN console:
    1. Add FortiGate devices and map all interfaces:
      1. Go to Device Manager. Add three FortiGate devices by clicking Add Device. Follow the wizard to add each device.
      2. Go to Policy & Objects > Policy Packages and define the Zone interfaces.
      3. Go to Device Manager and select a device.
      4. Go to System > Interface and map the interfaces to the Zone interfaces.

    2. Create firewall addresses for protected subnets:
      1. Go to Policy & Objects > Firewall Objects > Address to manage the firewall addresses.
      2. VPNs only support firewall addresses with the type set to subnet (IP/Netmask). The firewall addresses will be used as protected subnets to generate static routes among the FortiGate devices.
    3. Create a VPN community:
      1. Go to VPN Manager > IPsec VPN Communities > Create New.
      2. Set the VPN Topology type to Site to Site.
      3. Define the Authentication method with a Pre-shared Key.
      4. Specify the encryption and hash methods.

      5. After defining the authentication methods and encryption properties, click Next.
      6. Configure the VPN Phase 1 and Phase 2 settings.

      7. For the IPSec Phase 2 setting, set the tunnel to Auto-Negotiate.

        VPN configuration summary:

    4. Add a VPN gateway:
      1. Go to VPN Manager > IPsec VPN Communities and select your VPN community.
      2. Right-click the community and select Add Managed Gateway.
      3. Add a Protected Network. There can be more than one protected networks.

      4. Select a Device.

      5. Select a Default VPN Interface. The default VPN interface should have a valid IP and be mapped.

        1. Optionally, specify the Local Gateway. This option can be left blank in most cases.

      6. Go to Routing and select Automatic to generate static routes.

        1. If Manual is selected, go to the Device Manager to set the IP on the relevant IPSec interfaces and define the routings manually.

        VPN gateway configuration settings summary:

    5. Create firewall policies:
      1. Go to Policy & Objects > Policy Package to create policies among the default VPN zones and protected-subnet interfaces.
      2. Use the Install On option to restrict policies applied on specific FortiGate devices.

      3. Remember to create policies for bi-directional traffic.
        Note

        For further FortiManager information, refer to the FortiManager Administration Guide available on the Fortinet Document Library.

    Previous
    Next

    Configuring a full mesh VPN topology within a VPN console

    Configuring a full mesh VPN topology within a VPN console

    This is an example on how to configure a simple full mesh VPN with:

    • Three FortiGate (FGT) devices
    • A pre-shared key for authentication
    • An auto-up tunnel setting
    • Static routes
    To configure a full mesh VPN topology within a VPN console:
    1. Add FortiGate devices and map all interfaces:
      1. Go to Device Manager. Add three FortiGate devices by clicking Add Device. Follow the wizard to add each device.
      2. Go to Policy & Objects > Policy Packages and define the Zone interfaces.
      3. Go to Device Manager and select a device.
      4. Go to System > Interface and map the interfaces to the Zone interfaces.

    2. Create firewall addresses for protected subnets:
      1. Go to Policy & Objects > Firewall Objects > Address to manage the firewall addresses.
      2. VPNs only support firewall addresses with the type set to subnet (IP/Netmask). The firewall addresses will be used as protected subnets to generate static routes among the FortiGate devices.
    3. Create a VPN community:
      1. Go to VPN Manager > IPsec VPN Communities > Create New.
      2. Set the VPN Topology type to Site to Site.
      3. Define the Authentication method with a Pre-shared Key.
      4. Specify the encryption and hash methods.

      5. After defining the authentication methods and encryption properties, click Next.
      6. Configure the VPN Phase 1 and Phase 2 settings.

      7. For the IPSec Phase 2 setting, set the tunnel to Auto-Negotiate.

        VPN configuration summary:

    4. Add a VPN gateway:
      1. Go to VPN Manager > IPsec VPN Communities and select your VPN community.
      2. Right-click the community and select Add Managed Gateway.
      3. Add a Protected Network. There can be more than one protected networks.

      4. Select a Device.

      5. Select a Default VPN Interface. The default VPN interface should have a valid IP and be mapped.

        1. Optionally, specify the Local Gateway. This option can be left blank in most cases.

      6. Go to Routing and select Automatic to generate static routes.

        1. If Manual is selected, go to the Device Manager to set the IP on the relevant IPSec interfaces and define the routings manually.

        VPN gateway configuration settings summary:

    5. Create firewall policies:
      1. Go to Policy & Objects > Policy Package to create policies among the default VPN zones and protected-subnet interfaces.
      2. Use the Install On option to restrict policies applied on specific FortiGate devices.

      3. Remember to create policies for bi-directional traffic.
        Note

        For further FortiManager information, refer to the FortiManager Administration Guide available on the Fortinet Document Library.

    Previous
    Next