FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Debbie_FTNT
Staff
Staff
Article Id 195820
Description
This article explains how to create a fully-meshed VPN with VPN Manager feature on FortiManager for FortiGates with multiple ISP lines

Solution
To have a fully redundant IPsec VPN between multiple FortiGates with multiple ISP connections, is a complex undertaking.

For just two FortiGates with two ISP links each, this would be a total of 4 Tunnels. For three FortiGates with two ISP links each, this would be already be 12, and at 5 FortiGates, it would be 40.

FortiManager VPN Manager can assist in this as follows.

Preparation

All FortiGates that should make up the mesh need to be added to the community, and their WAN interfaces should have either a static IP or a DDNS entry and need to be mapped to ADOM interfaces (this is done automatically when policies are imported from FortiGates)

All FortiGates should be in the same firmware version so they can be managed in the same ADOM.

VPN Manager functionality needs to be enabled.

Example environment

FortiManager in firmware version 6.0.3, ADOM used in lab ‘ADOM2’

Local-FortiGate, with interfaces port1 and port2:
  • Port1 mapped to policy interface WAN1, IP 10.200.1.1/24
  • Port2 mapped to policy interface port2, IP 10.200.2.1/24
  • Local P2 is address ‘LOCAL_SUBNET’

Remote-FortiGate, with interfaces port4 and port5
  • Port4 mapped to policy interface WAN1, IP 10.200.3.1/24
  • Port5 mapped to policy interface port5, IP 10.200.4.1/24
  • Local P2 is address ‘REMOTE_SUBNET’


Steps

1.    Create a new Mesh VPN community in VPN manager. Set encryption, Diffie-Hellman groups, preshared keys and key-lifetime as desired. Under Advanced Options, enable ‘Inter-Vdom’. This allows adding multiple interfaces of the same FortiGate to the VPN community. Then click ‘OK’ to save this.


Example: Create a VPN-mesh called ‘test_all’, with default values and ‘Inter-vdom’ enabled

2.    Double-click on the new community and start adding the FortiGates to the VPN community

Select ‘Add Gateway’ and add the FortiGates. The protected subnets selected here will form the basis of routing within the VPN mesh later. Select the proper VPN interface (one ISP interface) and then save this.Repeat this for all ISP interfaces on the FortiGate, with the same protected subnets.Afterwards, the VPN community should look like this:


In the example above, WAN1(mapped to port1) and port2 (mapped to port2) are added for Local-FortiGate, and WAN1 (mapped to port4) and port5 (mapped to port5) are added for Remote-FortiGate.LOCAL_SUBNET is selected as protected subnet for Local-FortiGate (as this is the FortiGate’s local network that should be able to access the VPN).REMOTE_SUBNET is selected as protected subnet for Remote-FortiGate (as this is the FortiGate’s local network that should be able to access the VPN).The protected subnets will form the routing destinations when the tunnels are pushed to the FortiGates.

3.    This can now be installed to the FortiGates, either as Device Settings only, or as part of a policy package, via Install Wizard or Re-install Policy. FortiManager will not push tunnels between individual interfaces on one FortiGate.Phase1, system interface entries, zone, phase2 and routing will be configured automatically if the VPN community has default settings. If routing or zone settings were modified in the VPN community, the settings might be missing.Please note that at this point, no policies have been created for the VPN tunnels, so while the tunnels themselves will exist, no traffic can enter them yet.Afterwards, the following should be visible in FortiManager, under Device Manager (VPN display might need to be enabled under Tools/Display Options):

Remote FortiGate IPSec phase1 after installation:


Local-FortiGate IPSec phase1 after installation:


Installation report on Local-FortiGate (with default mesh VPN community and Inter-VDOM enabled)

Starting log (Run on device)

// Installation of phase1 and system interface entries

Start installing
Local-FortiGate $ config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) $ edit "test_all_4_2"
Local-FortiGate (test_all_4_2) $ set interface "port2"
Local-FortiGate (test_all_4_2) $ set ike-version 2
Local-FortiGate (test_all_4_2) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_4_2) $ set proposal aes256-sha256
Local-FortiGate (test_all_4_2) $ set keylife 28800
Local-FortiGate (test_all_4_2) $ set peertype any
Local-FortiGate (test_all_4_2) $ set remote-gw 10.200.4.1
Local-FortiGate (test_all_4_2) $ set dpd-retryinterval 5
Local-FortiGate (test_all_4_2) $ set add-gw-route enable
Local-FortiGate (test_all_4_2) $ set psksecret *********************
Local-FortiGate (test_all_4_2) $ next
Local-FortiGate (phase1-interface) $ end
Local-FortiGate $ config system interface
Local-FortiGate (interface) $ edit "test_all_4_2"
Local-FortiGate (test_all_4_2) $ set vdom "root"
Local-FortiGate (test_all_4_2) $ set type tunnel
Local-FortiGate (test_all_4_2) $ set snmp-index 110
Local-FortiGate (test_all_4_2) $ set interface "port2"
Local-FortiGate (test_all_4_2) $ next
Local-FortiGate (interface) $ end
Local-FortiGate $ config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) $ edit "test_all_4_1"
Local-FortiGate (test_all_4_1) $ set interface "port2"
Local-FortiGate (test_all_4_1) $ set ike-version 2
Local-FortiGate (test_all_4_1) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_4_1) $ set proposal aes256-sha256
Local-FortiGate (test_all_4_1) $ set keylife 28800
Local-FortiGate (test_all_4_1) $ set peertype any
Local-FortiGate (test_all_4_1) $ set remote-gw 10.200.3.1
Local-FortiGate (test_all_4_1) $ set dpd-retryinterval 5
Local-FortiGate (test_all_4_1) $ set add-gw-route enable
Local-FortiGate (test_all_4_1) $ set psksecret *********************
Local-FortiGate (test_all_4_1) $ next
Local-FortiGate (phase1-interface) $ end
Local-FortiGate $ config system interface
Local-FortiGate (interface) $ edit "test_all_4_1"
Local-FortiGate (test_all_4_1) $ set vdom "root"
Local-FortiGate (test_all_4_1) $ set type tunnel
Local-FortiGate (test_all_4_1) $ set snmp-index 111
Local-FortiGate (test_all_4_1) $ set interface "port2"
Local-FortiGate (test_all_4_1) $ next
Local-FortiGate (interface) $ end
Local-FortiGate $ config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) $ edit "test_all_3_2"
Local-FortiGate (test_all_3_2) $ set interface "port1"
Local-FortiGate (test_all_3_2) $ set ike-version 2
Local-FortiGate (test_all_3_2) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_3_2) $ set proposal aes256-sha256
Local-FortiGate (test_all_3_2) $ set keylife 28800
Local-FortiGate (test_all_3_2) $ set peertype any
Local-FortiGate (test_all_3_2) $ set remote-gw 10.200.4.1
Local-FortiGate (test_all_3_2) $ set dpd-retryinterval 5
Local-FortiGate (test_all_3_2) $ set add-gw-route enable
Local-FortiGate (test_all_3_2) $ set psksecret *********************
Local-FortiGate (test_all_3_2) $ next
Local-FortiGate (phase1-interface) $ end
Local-FortiGate $ config system interface
Local-FortiGate (interface) $ edit "test_all_3_2"
Local-FortiGate (test_all_3_2) $ set vdom "root"
Local-FortiGate (test_all_3_2) $ set type tunnel
Local-FortiGate (test_all_3_2) $ set snmp-index 112
Local-FortiGate (test_all_3_2) $ set interface "port1"
Local-FortiGate (test_all_3_2) $ next
Local-FortiGate (interface) $ end
Local-FortiGate $ config vpn ipsec phase1-interface
Local-FortiGate (phase1-interface) $ edit "test_all_3_1"
Local-FortiGate (test_all_3_1) $ set interface "port1"
Local-FortiGate (test_all_3_1) $ set ike-version 2
Local-FortiGate (test_all_3_1) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_3_1) $ set proposal aes256-sha256
Local-FortiGate (test_all_3_1) $ set keylife 28800
Local-FortiGate (test_all_3_1) $ set peertype any
Local-FortiGate (test_all_3_1) $ set remote-gw 10.200.3.1
Local-FortiGate (test_all_3_1) $ set dpd-retryinterval 5
Local-FortiGate (test_all_3_1) $ set add-gw-route enable
Local-FortiGate (test_all_3_1) $ set psksecret *********************
Local-FortiGate (test_all_3_1) $ next
Local-FortiGate (phase1-interface) $ end
Local-FortiGate $ config system interface
Local-FortiGate (interface) $ edit "test_all_3_1"
Local-FortiGate (test_all_3_1) $ set vdom "root"
Local-FortiGate (test_all_3_1) $ set type tunnel
Local-FortiGate (test_all_3_1) $ set snmp-index 113
Local-FortiGate (test_all_3_1) $ set interface "port1"
Local-FortiGate (test_all_3_1) $ next
Local-FortiGate (interface) $ end

// Installation of zone

Local-FortiGate $ config system zone
Local-FortiGate (zone) $ edit "vpnmgr_test_all_mesh"
Local-FortiGate (vpnmgr_test_all_mesh) $ set interface "test_all_4_2" "test_all_4_1" "test_all_3_2" "test_all_3_1"
Local-FortiGate (vpnmgr_test_all_mesh) $ next
Local-FortiGate (zone) $ end

// Installation of phase2

Local-FortiGate $ config vpn ipsec phase2-interface
Local-FortiGate (phase2-interface) $ edit "test_all_3_1_0"
Local-FortiGate (test_all_3_1_0) $ set phase1name "test_all_3_1"
Local-FortiGate (test_all_3_1_0) $ set proposal aes128gcm
Local-FortiGate (test_all_3_1_0) $ set keepalive enable
Local-FortiGate (test_all_3_1_0) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_3_1_0) $ set keylifeseconds 1800
Local-FortiGate (test_all_3_1_0) $ next
Local-FortiGate (phase2-interface) $ end
Local-FortiGate $ config vpn ipsec phase2-interface
Local-FortiGate (phase2-interface) $ edit "test_all_3_2_0"
Local-FortiGate (test_all_3_2_0) $ set phase1name "test_all_3_2"
Local-FortiGate (test_all_3_2_0) $ set proposal aes128gcm
Local-FortiGate (test_all_3_2_0) $ set keepalive enable
Local-FortiGate (test_all_3_2_0) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_3_2_0) $ set keylifeseconds 1800
Local-FortiGate (test_all_3_2_0) $ next
Local-FortiGate (phase2-interface) $ end
Local-FortiGate $ config vpn ipsec phase2-interface
Local-FortiGate (phase2-interface) $ edit "test_all_4_1_0"
Local-FortiGate (test_all_4_1_0) $ set phase1name "test_all_4_1"
Local-FortiGate (test_all_4_1_0) $ set proposal aes128gcm
Local-FortiGate (test_all_4_1_0) $ set keepalive enable
Local-FortiGate (test_all_4_1_0) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_4_1_0) $ set keylifeseconds 1800
Local-FortiGate (test_all_4_1_0) $ next
Local-FortiGate (phase2-interface) $ end
Local-FortiGate $ config vpn ipsec phase2-interface
Local-FortiGate (phase2-interface) $ edit "test_all_4_2_0"
Local-FortiGate (test_all_4_2_0) $ set phase1name "test_all_4_2"
Local-FortiGate (test_all_4_2_0) $ set proposal aes128gcm
Local-FortiGate (test_all_4_2_0) $ set keepalive enable
Local-FortiGate (test_all_4_2_0) $ set comments "[created by FMG VPN Manager]"
Local-FortiGate (test_all_4_2_0) $ set keylifeseconds 1800
Local-FortiGate (test_all_4_2_0) $ next
Local-FortiGate (phase2-interface) $ end

// Installation of routing entries (routing destinations based on protected subnets set in VPN manager)

Local-FortiGate $ config router static
Local-FortiGate (static) $ edit 1072741825
Local-FortiGate (1072741825) $ set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741825) $ set priority 1
Local-FortiGate (1072741825) $ set device "test_all_4_2"
Local-FortiGate (1072741825) $ next
Local-FortiGate (static) $ end
Local-FortiGate $ config router static
Local-FortiGate (static) $ edit 1072741826
Local-FortiGate (1072741826) $ set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741826) $ set priority 1
Local-FortiGate (1072741826) $ set device "test_all_4_1"
Local-FortiGate (1072741826) $ next
Local-FortiGate (static) $ end
Local-FortiGate $ config router static
Local-FortiGate (static) $ edit 1072741827
Local-FortiGate (1072741827) $ set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741827) $ set priority 1
Local-FortiGate (1072741827) $ set device "test_all_3_2"
Local-FortiGate (1072741827) $ next
Local-FortiGate (static) $ end
Local-FortiGate $ config router static
Local-FortiGate (static) $ edit 1072741828
Local-FortiGate (1072741828) $ set dst 10.0.2.0 255.255.255.0
Local-FortiGate (1072741828) $ set priority 1
Local-FortiGate (1072741828) $ set device "test_all_3_1"
Local-FortiGate (1072741828) $ next
Local-FortiGate (static) $ end

---> generating verification report
<--- done generating verification report

4.    Optionally, create policies for the VPN

By default, the VPN interfaces will be placed in a VPN zone; the zone should be used in the policiesTo create policies for the VPN, go to Policy&Objects, select the appropriate policy package, create a new policy, and select either the VPN zones (if VPN zones were not disabled during creation of the VPN community) or the appropriate mapped interface as source/destination. Source or destination address can be set to the appropriate addresses as set as protected subnet in the VPN community.

PICTURE

Note: How to calculate the number of VPN tunnels in a fully-redundant mesh with a given number of ISP connections per FortiGate:

N -> number of FortiGates
I -> number of ISP connections each FortiGate has
(Nx(N-1)/2)xI²=Number of VPN tunnels

Number of FortGates times Number of FortiGates minus 1, divided by two, then times number of ISP connections squared

Refer also to the FortiOS handbook Chapter 14 Redundant route-based VPN configuration.

Contributors