Recommended IPsec templates
FortiManager includes recommended IPsec templates that come preconfigured with FortiManager best practices recommendations for use within your environment. These templates can be used to simplify deployment of SD-WAN interconnected sites or to create IPsec VPN for FortiGate devices.
Once a new IPsec template has been created from a recommended template, it can be edited, deleted, and/or cloned.
ADOM-level metadata variables can be used when configuring a recommended template's required fields to ensure that fields like Local ID are unique when the template is assigned to multiple devices. See ADOM-level metadata variables.
The following IPsec recommended templates are available.
Template Name |
Description |
---|---|
HUB_IPSec_Recommended | This template was created for use with the SD-WAN provisioning template. The wizard prompts for input expected for HUB IPsec tunnels used by the SD-WAN template. The template assumes dialup clients by selecting Dynamic for Remote Devices. |
Branch_IPSec_Recommended | Fortinet's recommended template for IPSec branch device configurations. The wizard prompts for the remote gateway (HUB) and requests a local ID to facilitate multiple tunnels for use in SD-WAN. |
IPSec_Fortinet_Recommended | Fortinet's recommended template for IPSec configurations. Unlike the HUB and Branch templates above, this template does not make assumptions about the function of the assigned device/group. |
To use a default IPsec template in your environment:
- Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.
- Select a recommended template, and click Activate in the toolbar.
-
Enter configuration details specific to your environment.
- Click OK to save your changes.
A new template is created in the template list based on the recommended template you selected and the configuration details provided. -
(Optional) Edit the template to view or change the automatically configured settings.
Any field with a magnifying glass indicates that a metadata variable may be used. See ADOM-level metadata variables.
- (Optional) Once a template has been created, it can be added to a template group. SeeTemplate groups
-
Assign the new template (or template group) to one or more managed devices or device groups.
-
Install the changes.
To create a HUB_IPSec_Recommended template:
- Activate the HUB_IPSec_Recommended template.
- Enter the following requested information.
Template Name Enter a name for the template. Enable ADVPN
Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).
Outgoing Interface Enter the outgoing interface. This is the physical port that the branch devices will connect to. IPv4 Start IP Enter the first usable IP address in the range.
IPv4 End IP Enter the last usable IP address in the range.
IPv4 Netmask Enter the IPv4 netmask. Pre-shared Key Enter the pre-shared key. - Click OK to create the template.
To create a Branch_IPSec_Recommended template:
- Activate the Branch_IPSec_Recommended template.
- Enter the following requested information.
Template Name Enter a name for the template. Enable ADVPN
Optionally, enable or disable Auto Discovery VPN (ADVPN).
Outgoing Interface Enter the outgoing interface. This is the physical port that the branch devices will use to connect to the HUB.
Local ID Enter a Local ID. This is used by the HUB to identify the connecting device. Remote Gateway Enter the IP address of the HUB interface that the Branch will connect to. Pre-shared Key Enter the pre-shared key. - Click OK to create the template.
To create an IPSec_Fortinet_Recommended template:
-
Activate the IPSec_Recommended template.
-
Enter the following requested information.
Template Name Enter a name for the template. Outgoing Interface Enter the outgoing interface. This is the physical port that the branch devices will connect to. Remote Gateway Enter the IP address of the destination device’s interface that the assigned FortiGates will connect to. Pre-shared Key Enter the pre-shared key. - Click OK to create the template.