Policy & Objects : VPN Console : VPN gateway
 
VPN gateway
Once you have created the VPN topology, you can create a managed or external gateway. The settings on these pages are dependent on the VPN topology selected.
Create a VPN external gateway:
1. Select the VPN topology and select Create New > External Gateway in the toolbar.
The Add VPN External Gateway page opens.
Figure 229: Add VPN External Gateway (Dial up topology)
2. Configure the following settings:
Node Type
Select either HUB or Spoke from the drop-down list.
Note: This menu item is available when Topology is Star or Dial up.
Gateway Name
Enter the gateway name.
Gateway IP
Select the gateway IP address from the drop-down list.
Hub IP
Select the hub IP address from the drop-down list.
Note: This menu item is available when Topology is Star or Dial up and Node Type is HUB.
Create Phase2 per Protected Subnet Pair
Select the checkbox to create a phase2 per protected subnet pair.
Peer Type
Select the peer type. Select one of the following:
Accept any peer ID
Accept this peer ID (enter the peer ID in the text field)
Accept a dialup group (select the group from the drop-down list)
A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID of a peer is called a Peer ID.
The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel. This enables a more secure connection. Also if you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. When you configure it on your end, it is your Local ID. When the remote end connects to you, they see it as your peer ID.
If you are debugging a VPN connection, the Local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.
The default configuration is to accept all local IDs (peer IDs). If you have the Local ID set, the remote end of the tunnel must be configured to accept your Local ID.
Note: This menu item is available when Topology is Dial up.
Protected Subnet
Select the address or address group from the drop-down list and select the plus (+) icon to add the entry. You can add multiple entries.
Local Gateway
Enter the local gateway in the text field.
3. Select OK to save the settings.
Create a VPN managed gateway:
1. Select the VPN topology and select Create New > Managed Gateway in the toolbar.
The Add VPN Managed Gateway page opens.
Figure 230: Add VPN Managed Gateway (Dial up topology)
2. Configure the following settings:
Node Type
Select either HUB or Spoke from the drop-down list.
Note: This menu item is available when Topology is Star or Dial up.
Device
Select the device from the drop-down list.
Default VPN Interface
Select the default VPN interface from the drop-down list.
Hub-to-Hub Interface
Select the hub-to-hub interface from the drop-down list. This field is mandatory for multiple hubs.
Note: This menu item is available when Topology is Star or Dial up and Node Type is HUB.
Peer Type
Select the peer type. Select one of the following:
Accept any peer ID
Accept this peer ID (enter the peer ID in the text field)
Accept a dialup group (select the group from the drop-down list)
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
Routing
Select either Manual (via Device Manager) or Automatic.
Summary Network(s)
Select the address or address group from the drop-down list, select the priority and select the plus (+) icon to add the entry. You can add multiple entries.
Note: This menu item is available when Topology is Star or Dial up and Node Type is HUB.
Protected Subnet
Select the address or address group from the drop-down list and select the plus (+) icon to add the entry. You can add multiple entries.
Enable IKE Configuration Method (“mode config”)
Select to enable IKE Configuration Method.
Note: This menu item is available when Topology is Dial up.
Enable IP Assignment
Select to enable IP assignment.
Note: This menu item is available when Topology is Dial up.
IP Assignment Mode
Select either Range or User Group from the drop-down list.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
IP Assignment Type
Select either IP or Subnet from the drop-down list.
Note: This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range
IPv4 Start IP
Enter the IPv4 start IP address.
Note: This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range
IPv4 End IP
Enter the IPv4 end IP address.
Note: This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range
IPv4 Netmask
Enter the IPv4 network mask.
Note: This menu item is available when Topology is Dial up, Node Type is HUB, and IP Assignment Mode is Range.
Add Route
Select the checkbox to add a route for this entry.
Note: This menu item is available when Topology is Dial up.
DNS Server #1
Enter the DNS server IP address to provide IKE Configuration Method to clients.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
DNS Server #2
Enter the DNS server IP address to provide IKE Configuration Method to clients.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
DNS Server #3
Enter the DNS server IP address to provide IKE Configuration Method to clients.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
WINS Server #1
Enter the WINS server IP address to provide IKE Configuration Method to clients.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
WINS Server #2
Enter the WINS server IP address to provide IKE Configuration Method to clients.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
IPv4 Split include
Select the address or address group from the drop-down list.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
Local Gateway
Enter the local gateway in the text field.
Exclusive IP Range
Enter the start IP and end IP and select the plus (+) icon to add the entry. You can add multiple entries.
Note: This menu item is available when Topology is Dial up and Node Type is HUB.
Advanced Options
For more information on advanced option, see the FortiOS 5.0 CLI Reference.
 
authpasswd
Enter the XAuth client password for the FortiGate.
Note: This field is available when xauthtype is set to client.
 
authusr
Enter the XAuth client user name for the FortiGate.
Note: This field is available when xauthtype is set to client.
 
authusrgrp
Select the authentication user group from the drop-down list.
Note: This field is available when xauthtype is set to auto, pap, or chap.
When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross referenced.
 
banner
Enter the banner value.
Specify a message to send to IKE Configuration Method clients. Some clients display this message to users. This is available if mode-cfg (IKE Configuration Method) is enabled.
 
dns-mode
Select either manual or auto from the drop-down list.
auto: Assign DNS servers in the following order:
Servers assigned to interface by DHCP.
Per-VDOM assigned DNS servers.
Global DNS servers.
manual: Use DNS servers specified in DNS Server 1, DNS Server 2 etc.
 
domain
Enter the domain value.
 
public-ip
Enter the public IP value.
Use this field to configure a VPN with dynamic interfaces. Define a public-ip value here, which is the dynamically assigned PPPoE address, which remains static and does not change over time. See “VPN Console supports NAT device with a public IP feature” for more information.
 
unity-support
Select either enable or disable from the drop-down list.
 
xauthtype
Select the XAuth type from the drop-down list. Select one of: disable, client, pap, chap, or auto.
3. Select OK to save the settings