Description
This article describes how to configure VPN via FortiManager's VPN Manager.
In FortiManager 5.6.0 and later, mixed-mode VPN allows VPNs to be concurrently configured through VPN Manager and on the FortiGate device in Device Manager.
In FortiManager versions prior to 5.6.0, central VPN management must be disabled to configure VPNs in Device Manager.
Scope
FortiGate.
Solution
On the VPN manager pane, it is possible to configure IPsec VPN settings that can be installed on multiple devices.
- Enable VPN Manager.
- Create VPN Community.
It is possible to create full-meshed, star, and dial-up IPsec VPN communities.
IPsec VPN communities are also sometimes called VPN topologies.
In this example, a Star topology is created with a hub and a spoke:
Configure Phase 1 and Phase 2 according to requirements.
- Create IPsec VPN Gateways.
A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets, decrypts the encapsulated data packets, then passes the data packets to the local network. It also encrypts, encapsulates, and sends the IPsec data packets to the gateway at the other end of the VPN tunnel.
The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet.
Create a HUB:
Select Managed Gateway for devices managed by FortiManager.
External Gateway is not managed by FortiManager, or managed in another ADOM.
Default VPN interface (usually the internet-facing interface):
Create SPOKE:
Hub and Spoke created:
Install the VPN Configuration using an Install Wizard:
Install it to the hub:
Install to Spoke:
- Create Firewall Policies.
Firewall policies on the hub:
Firewall policies on the spoke:
Install the policies.
Tunnel is up:
Note: To resolve the copy error 'no hub configured for vpn XXX' while installing from FortiManager, verify and reconfigure the HUB using the steps above and try to install again.
