Description
This article describes how to build a Dialup IPsec tunnel using VPN Manager in FortiManager.
Scope
FortiManager.
Solution
Note:
It is not possible to control the phase 2 quick mode selector while using VPN Manager, it sets 0.0.0.0/0.0.0.0 for Local and Remote address. Access should be controlled via firewall policies.
Configure VPN Manager for Dialup VPN tunnels:
- Enable Centralized VPN Management, see this document Enabling central VPN management for reference.
- Create a new community and set the topology as 'Remote Access'.
- Set all the necessary configurations for the VPN community. Most important is to set a specific pre-shared key and choose the VPN Zone setting.
- Create a new managed gateway. The Protected subnet can be 0.0.0.0/0.0.0.0, as the VPN manager does not set specific phase 2 selectors.
- Set Role as 'Hub' and VPN interface as the one where all clients will connect to.
- Set the Local gateway as the IP to which clients will connect; otherwise interface IP will be set if left as 0.0.0.0.
- The following image shows various key configurations needed while creating IPsec tunnels:
Note:
The address object used for the Client Address Range should have 'type' set to 'IP Range'. Otherwise install will fail.
- Install the policy package assigned to the FortiGate acting as HUB and which will perform IPsec configuration.
- Device Manager will show the VPN zone created, as shown below:
- Create polices using VPN Manager Zone.
