Fortinet black logo

Cookbook

Home FortiGate / FortiOS 6.0.0 Cookbook

Adding tunnel interfaces to the VPN

6.0.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:211936
Download PDF

Adding tunnel interfaces to the VPN

  1. To create an address for the Edge tunnel interface, connect to Edge, go to Policy & Objects > Addresses, and create a new address.
  2. Set Category to Address and set Subnet/IP Range to the IP address for the Edge tunnel interface (10.10.10.1/32).

  3. Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration.

  4. To allow VPN traffic between the Edge tunnel interface and the Branch tunnel interface, go to VPN > IPsec Tunnels, and edit the VPN tunnel. Select Convert To Custom Tunnel.
  5. Under Phase 2 Selectors, create a new Phase 2. Set Local Address to use a Named Address and select the address for the Edge tunnel interface. Set Remote Address to use a Named Address, and select the address for the Branch tunnel interface.

  6. To route traffic to the Branch tunnel interface, go to Network > Static Routes, and create a new route.
  7. Set Destination to Named Address, and select the address for the Branch tunnel interface. Set Device to the tunnel interface.

  8. To allow traffic between the tunnel interfaces, go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.
  9. Set Source to include the Edge tunnel interface and Destination to include the Branch tunnel interface. To configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System > Feature Visibility.

  10. Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

  11. On Branch, repeat steps 1 to 10 to include the following:
    • Addresses for both tunnel interfaces (enable Static Route Configuration for the Edge tunnel interface address)
    • A Phase 2 that allows traffic between the Branch tunnel interface and the Edge tunnel interface
    • A static route to the Edge tunnel interface
    • Edited policies that allow traffic to flow between the tunnel interfaces
  12. To allow the new phase 2 to take effect, go to Monitor > IPsec Monitor, and restart the VPN tunnel.
Previous
Next

Adding tunnel interfaces to the VPN

  1. To create an address for the Edge tunnel interface, connect to Edge, go to Policy & Objects > Addresses, and create a new address.
  2. Set Category to Address and set Subnet/IP Range to the IP address for the Edge tunnel interface (10.10.10.1/32).

  3. Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration.

  4. To allow VPN traffic between the Edge tunnel interface and the Branch tunnel interface, go to VPN > IPsec Tunnels, and edit the VPN tunnel. Select Convert To Custom Tunnel.
  5. Under Phase 2 Selectors, create a new Phase 2. Set Local Address to use a Named Address and select the address for the Edge tunnel interface. Set Remote Address to use a Named Address, and select the address for the Branch tunnel interface.

  6. To route traffic to the Branch tunnel interface, go to Network > Static Routes, and create a new route.
  7. Set Destination to Named Address, and select the address for the Branch tunnel interface. Set Device to the tunnel interface.

  8. To allow traffic between the tunnel interfaces, go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.
  9. Set Source to include the Edge tunnel interface and Destination to include the Branch tunnel interface. To configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System > Feature Visibility.

  10. Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

  11. On Branch, repeat steps 1 to 10 to include the following:
    • Addresses for both tunnel interfaces (enable Static Route Configuration for the Edge tunnel interface address)
    • A Phase 2 that allows traffic between the Branch tunnel interface and the Edge tunnel interface
    • A static route to the Edge tunnel interface
    • Edited policies that allow traffic to flow between the tunnel interfaces
  12. To allow the new phase 2 to take effect, go to Monitor > IPsec Monitor, and restart the VPN tunnel.
Previous
Next