IPsec tunnel template example
The following example demonstrates the IPsec template features with the following assumptions:
-
All three FortiGates are added in FortiManager without prior configuration.
-
The branch FortiGates are added to a Branches device group. See Adding custom device groups.
-
The hub HQ device is added to a HUB device group.
-
-
Each FortiGate uses port2 as the WAN and port4 as LAN.
-
These names are added as aliases.
-
-
The WAN interface is configured as the default gateway (0.0.0.0/0) with a static route (you may use DHCP to receive the default route).
-
Only the necessary policies for the VPN connections are specified.
-
Branch FortiGates use the Branches policy package.
-
HQ FortiGate uses the HUB policy package.
-
-
Static routes are used to direct traffic over the VPN tunnels.
-
Auto Discovery VPN (ADVPN) is not configured.
-
ADVPN may be enabled in the HUB_IPsec_Recommended or BRANCH_IPsec_Recommended recommended templates during activation, or it may be enabled in advanced settings after activation in any IPsec template.
-
See ADVPN in the FortiGate Administration Guide for more details.
-
-
Policies only allow traffic from the branches to the hub.
-
You may wish to create policies in each Branch and HUB policy package to allow traffic from the hub to the branches.
-
-
A metadata variable
branch_idis used in the configuration. See ADOM-level metadata variables.-
The branch_id allows you to dynamically configure each branch’s LAN subnet as follows:
-
192.168.branch_id.0= 192.168.1.0, 192.168.2.0, and so on.
-
-
-
Set branch_id value for each branch
-
Branch-A:
1. -
Branch-B:
2.
-
-
The below topology outlines the connected networks for each FortiGate.
Once configured, the overlay will look like the following topology.
