Name | Enter a name to identify the VPN in phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway | The remote gateway is the other end of the VPN tunnel. There are three options: Static IP Address — Enter the spoke’s public IP Address. You will need to create a phase 1 configuration for each spoke. Either the hub or the spoke can establish the VPN connection. Dialup User — No additional information is needed. The hub accepts connections from peers with appropriate encryption and authentication settings. Only one phase 1 configuration is needed for multiple dialup spokes. Only the spoke can establish the VPN tunnel. Dynamic DNS — If the spoke subscribes to a dynamic DNS service, enter the spoke’s Dynamic DNS domain name. Either the hub or the spoke can establish the VPN connection. For more information, see “Dynamic DNS configuration”. |
Local Interface | Select the FortiGate interface that connects to the remote gateway. This is usually the FortiGate unit’s public interface. |
Enable IPsec Interface Mode | You must select Advanced to see this setting. If IPsec Interface Mode is enabled, the FortiGate unit creates a virtual IPsec interface for a route-based VPN. Disable this option if you want to create a policy-based VPN. For more information, see “Comparing policy-based or route-based VPNs”. After you select OK to create the phase 1 configuration, you cannot change this setting. |
Name | Enter a name to identify this spoke phase 2 configuration. |
Phase 1 | Select the name of the phase 1 configuration that you defined for this spoke. |