Central VPN Console – FortiManager 5.2

VPN gateway

Once you have created the VPN topology, you can create a managed or external gateway. The settings on these pages are dependent on the VPN topology selected.

Create a VPN external gateway:

  1. Select the VPN topology, right-click, and select Config Gateways in the menu.
  2. Select Create New in the toolbar and select to create an External Gateway. The Add VPN External Gateway page opens.

Add VPN External Gateway (Dial up topology)

  • Configure the following settings:
Node Type Select either HUB orSpoke from the drop-down list.

This menu item is available when Topology is Star or Dial up.

Gateway Name Type the gateway name.
Gateway IP Select the gateway IP address from the drop-down list.
Hub IP Select the hub IP address from the drop-down list.

This menu item is available when Topology is Star or Dial up and Node Type is HUB.

Create Phase2 per Protected Subnet Pair Select the checkbox to create a phase2 per protected subnet pair.
Peer Type Select the peer type. Select one of the following:

l Accept any peer ID l Accept this peer ID (type the peer ID in the text field) l Accept a dialup group (select the group from the drop-down list) A Local ID is an alphanumeric value assigned in the Phase 1 configuration.

The Local ID of a peer is called a Peer ID.

The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel. This enables a more secure connection. Also if you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. When you configure it on your end, it is your Local ID. When the remote end connects to you, they see it as your peer ID.

If you are debugging a VPN connection, the Local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.

The default configuration is to accept all local IDs (peer IDs). If you have the Local ID set, the remote end of the tunnel must be configured to accept your Local ID.

This menu item is available when Topology is Dial up.

Protected Subnet Select the address or address group from the drop-down list and select the add icon to add the entry. You can add multiple entries.
Local Gateway Type the local gateway IP address in the text field.
  1. Select OK to save the settings.
  2. Select Return to return to the VPN topology page.

Create a VPN managed gateway:

  1. Select the VPN topology, right-click, and select Config Gateways in the menu.
  2. Select Create New in the toolbar and select to create a Managed Gateway. The Add VPN Managed Gateway page opens.

Add VPN Managed Gateway (Dial up topology)

  1. Configure the following settings:
Node Type Select either HUB orSpoke from the drop-down list.

This menu item is available when Topology is Star or Dial up.

Device Select the device from the drop-down list.
Default VPN Interface Select the default VPN interface from the drop-down list.
Hub-to-Hub Interface Select the hub-to-hub interface from the drop-down list. This field is mandatory for multiple hubs.

This menu item is available when Topology is Star or Dial up and Node Type is HUB.

 

Peer Type Select the peer type. Select one of the following:

l Accept any peer ID l Accept this peer ID (type the peer ID in the text field) l Accept a dialup group (select the group from the drop-down list)

This menu item is available when Topology is Dial up and Node Type is HUB.

Routing Select either Manual (via Device Manager) or Automatic.
Summary Network(s) Select the address or address group from the drop-down list, select the priority and select the add icon to add the entry. You can add multiple entries.

This menu item is available when Topology is Star or Dial up and Node Type is HUB.

Protected Subnet Select the address or address group from the drop-down list and select the add icon icon to add the entry. You can add multiple entries.
Enable IKE Configuration Method (“mode config”) Select to enable IKE Configuration Method.

This menu item is available when Topology is Dial up.

Enable IP Assignment Select to enable IP assignment.

This menu item is available when Topology is Dial up.

IP Assignment Mode Select either Range or UserGroup from the drop-down list.

This menu item is available when Topology is Dial up and Node Type is HUB.

IP Assignment Type Select either IP or Subnet from the drop-down list.

This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range

IPv4 Start IP Type the IPv4 start IP address.

This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range

IPv4 End IP Type the IPv4 end IP address.

This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range

IPv4 Netmask Type the IPv4 network mask.

This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range.

Add Route Select the checkbox to add a route for this entry.

This menu item is available when Topology is Dial up.

 

DNS Server #1 Type the DNS server IP address to provide IKE Configuration Method to clients. This menu item is available when Topology is Dial up and Node Type is HUB.
DNS Server #2 Type the DNS server IP address to provide IKE Configuration Method to clients. This menu item is available when Topology is Dial up and Node Type is HUB.
DNS Server #3 Type the DNS server IP address to provide IKE Configuration Method to clients. This menu item is available when Topology is Dial up and Node Type is HUB.
WINS Server #1 Type the WINS server IP address to provide IKE Configuration Method to clients. This menu item is available when Topology is Dial up and Node Type is HUB.
WINS Server #2 Type the WINS server IP address to provide IKE Configuration Method to clients. This menu item is available when Topology is Dial up and Node Type is HUB.
IPv4 Split Include Select the address or address group from the drop-down list.

This menu item is available when Topology is Dial up and Node Type is HUB.

Local Gateway Type the local gateway IP address in the text field.
Exclusive IP Range Type the start IP and end IP and select the add icon to add the entry. You can add multiple entries.

This menu item is available when Topology is Dial up and Node Type is HUB.

Advanced Options For more information on advanced options, see the FortiOS 5.2 CLI Reference.
authpasswd Type the XAuth client password for the FortiGate.

This field is available when xauthtype is set to client.

authusr Type the XAuth client user name for the FortiGate.

This field is available when xauthtype is set to client.

authusrgrp Select the authentication user group from the drop-down list.

This field is available when xauthtype is set to auto, pap, or chap.

When the FortiGate unit is configured as an XAuth server, type the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross referenced.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.