Fortinet white logo
Fortinet white logo

Administration Guide

Creating new IPsec VPN templates

Creating new IPsec VPN templates

If you prefer to input all the settings required for a VPN tunnel, you may create a new IPsec VPN template as follows.

To create an IPsec VPN template:
  1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.
  2. Click Create New from the toolbar. The Create New IPsec Tunnel Template dialog appears.
  3. Enter a Name for the template, optionally add a description, then click OK.
  4. Click Create New to create a new IPsec tunnel.

    Note

    Any field with a magnifying glass indicates that an ADOM-level metadata variable may be used. See ADOM-level metadata variables.

    Setting

    Value/Description

    Tunnel Name

    Enter the name of the IPsec tunnel.

    Routing

    Automatic: Static routes to remote subnet will be created. See Remote Subnet.

    Manual: Routes will not automatically created.

    Remote Device

    IP Address: Select when you know the IP address of the VPN tunnel destination.

    Dynamic DNS: Select when you will provide a FQDN for the VPN tunnel destination.

    Dynamic: Select when the remote device will be dial-up clients where their IP address may vary or cannot be determined at the time of configuration.

    Remote Gateway (IP Address)

    Enter the IP address of the VPN tunnel destination. Only available when IP Address is selected.

    Remote Gateway (FQDN)

    Enter the FQDN of the VPN tunnel destination. Only available when Dynamic DNS is selected.

    IPv4 Start IP

    Enter the first usable IP address assigned to connecting dial-up devices.

    IPv4 End IP

    Enter the last usable IP address assigned to connecting dial-up devices.

    IPv4 Netmask

    Define the netmask for the IP addresses assigned to connecting dial-up devices.

    Outgoing Interface

    Define the interface used to establish the VPN tunnel.

    Local ID

    If there are several dialup IPsec VPN tunnels configured on the same interface, specify a Local ID for the dial-up client’s peer ID to match.

    Network Overlay

    Toggle on to provide a network ID. Distinct network overlay IDs are required to establish multiple IPsec VPN tunnels between the same two FortiGate IP addresses.

    Remote Subnet

    Enter one or more remote subnets, with netmask. This field is available when Automatic routing is selected. This subnet is used to generate a static route.

    Proposal

    Define the cipher suites offered when negotiating the VPN tunnel settings.

    FEC Health Check

    If FEC is to be used, this health check server allows the FortiGate to assess the link quality and adaptively increase redundancy levels as the link quality or throughput changes.

    Authentication Method

    Pre-shared Key: Alphanumeric key used for device authentication.

    Signature: Select a certificate to be used for authentication, including the Peer Certificate CA.

    Tunnel Interface Setup

    Configure the IP or remote IP for the tunnel to use in the IPsec template.

    Phase 2 Interface

    Click Create New to define the parameters for the phase 2 interface.

    Advanced Options

    Expand to access and set a number of advanced options.

  5. Click OK to save the settings. The IPsec template is created and ready to be assigned to devices.

Creating new IPsec VPN templates

Creating new IPsec VPN templates

If you prefer to input all the settings required for a VPN tunnel, you may create a new IPsec VPN template as follows.

To create an IPsec VPN template:
  1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.
  2. Click Create New from the toolbar. The Create New IPsec Tunnel Template dialog appears.
  3. Enter a Name for the template, optionally add a description, then click OK.
  4. Click Create New to create a new IPsec tunnel.

    Note

    Any field with a magnifying glass indicates that an ADOM-level metadata variable may be used. See ADOM-level metadata variables.

    Setting

    Value/Description

    Tunnel Name

    Enter the name of the IPsec tunnel.

    Routing

    Automatic: Static routes to remote subnet will be created. See Remote Subnet.

    Manual: Routes will not automatically created.

    Remote Device

    IP Address: Select when you know the IP address of the VPN tunnel destination.

    Dynamic DNS: Select when you will provide a FQDN for the VPN tunnel destination.

    Dynamic: Select when the remote device will be dial-up clients where their IP address may vary or cannot be determined at the time of configuration.

    Remote Gateway (IP Address)

    Enter the IP address of the VPN tunnel destination. Only available when IP Address is selected.

    Remote Gateway (FQDN)

    Enter the FQDN of the VPN tunnel destination. Only available when Dynamic DNS is selected.

    IPv4 Start IP

    Enter the first usable IP address assigned to connecting dial-up devices.

    IPv4 End IP

    Enter the last usable IP address assigned to connecting dial-up devices.

    IPv4 Netmask

    Define the netmask for the IP addresses assigned to connecting dial-up devices.

    Outgoing Interface

    Define the interface used to establish the VPN tunnel.

    Local ID

    If there are several dialup IPsec VPN tunnels configured on the same interface, specify a Local ID for the dial-up client’s peer ID to match.

    Network Overlay

    Toggle on to provide a network ID. Distinct network overlay IDs are required to establish multiple IPsec VPN tunnels between the same two FortiGate IP addresses.

    Remote Subnet

    Enter one or more remote subnets, with netmask. This field is available when Automatic routing is selected. This subnet is used to generate a static route.

    Proposal

    Define the cipher suites offered when negotiating the VPN tunnel settings.

    FEC Health Check

    If FEC is to be used, this health check server allows the FortiGate to assess the link quality and adaptively increase redundancy levels as the link quality or throughput changes.

    Authentication Method

    Pre-shared Key: Alphanumeric key used for device authentication.

    Signature: Select a certificate to be used for authentication, including the Peer Certificate CA.

    Tunnel Interface Setup

    Configure the IP or remote IP for the tunnel to use in the IPsec template.

    Phase 2 Interface

    Click Create New to define the parameters for the phase 2 interface.

    Advanced Options

    Expand to access and set a number of advanced options.

  5. Click OK to save the settings. The IPsec template is created and ready to be assigned to devices.