LAB 5 - Configuring A Site-to-Site IPsec VPN

DO NOT REPRINT
© FORTINET
Lab 5: Configuring a Site-to-Site IPsec VPN
In this lab, you will configure a point-to-point IPsec VPN between two FortiGate devices. You will also configure
redundant VPN tunnels with failover capability between the two FortiGate devices.
Objectives
l Deploy a site-to-site VPN between two FortiGate devices.
l Compare route-based to policy-based VPNs.
l Monitor VPN tunnels.
l Configure redundant VPNs between two FortiGate devices.
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to Remote-FortiGate and Local-FortiGate.
Make sure to restore the correct configuration on each FortiGate using the following
steps. Failure to restore the correct configuration on each FortiGate will prevent you
from doing the lab exercise.
To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the
user name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
72 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
5: Configuring a Site-to-Site IPsec VPN
© FORTINET
3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiGate-Infrastructure > Site-to-Site-IPsec > Route-vs-Policy-based-
IPSEC > remote-rvp.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.

4. Click Desktop > Resources > FortiGate-Infrastructure > Site-to-Site-IPsec > Route-vs-Policy-based-
IPSEC > local-rvp.conf, and then click Open.
5. Click OK.
FortiGate Infrastructure 6.0 Lab Guide 73

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Route-Based IPsec VPN
During this lab, you will configure an IPsec tunnel between Local-FortiGate and the Remote-FortiGate for
communication between the Local-Windows VM and Remote-Windows VM.
Create a VPN Using the VPN Wizard
Now, you will configure Local-FortiGate using the VPN wizard, which creates the IPsec in route-based mode.
To create a VPN using the VPN wizard

2. Click VPN > IPsec Tunnels.
3. Click Create New.
4. Configure the following settings:
Field Value
Name ToRemote
Template Type Site to Site
Remote Device Type FortiGate
NAT Configuration No NAT between sites
5. Click Next .
Field Value
Remote Device IP Address
IP Address 10.200.3.1
Outgoing interface port1
Authentication Method Pre-shared Key
Pre-shared Key fortinet
7. Click Next.

DO Exercise
NOT1: Configuring
REPRINT Route-Based IPsec VPN Review the Objects Created by the VPN Wizard
© FORTINET
Field Value
Local Interface port3
Local Subnets 10.0.1.0/24
Remote Subnets 10.0.2.0/24
9. Click Create.
You should see the following screen:
10. Click Show Tunnel List.

You will see the VPN you just created.
Review the Objects Created by the VPN Wizard
Now, you will review the objects that were created by the VPN wizard.
To review the objects created by the VPN wizard

1. Continuing on the Local-FortiGate GUI, click VPN > IPsec Tunnels.
2. Select the VPN you just created, and then click Edit.
Notice the quick mode selectors that the wizard configured for you.

DO Review
NOT the REPRINT
Objects Created by the VPN Wizard Exercise 1: Configuring Route-Based IPsec VPN
© FORTINET
You will need this information to configure the other FortiGate. The quick mode selectors on both sides must
mirror each other. In other words, the Local Address on one side must match the Remote Address on the
other side.
3. Click Cancel.
4. Click Network > Interfaces.
5. Click the plus (+) icon that appears beside port1.
You will see a new virtual interface named ToRemote (matching the phase 1 name).
Stop and think!

What does this virtual interface tell us about the VPN created by the wizard? Is it policy-based or route-
based?
The wizard created the VPN using a route-based configuration. FortiGate automatically adds an IPsec
virtual interface for each VPN configured as route-based. This does not happen in a policy-based
configuration.

DO Exercise
NOT1: Configuring
REPRINT Route-Based IPsec VPN Review the Objects Created by the VPN Wizard
© FORTINET
A route-based VPN requires firewall policies and at least one route to the remote network. As you will see, the
wizard has created all of these additional objects for you.
5. Click Policy & Objects > Addresses, and then click + sign to expand Address and Address Group.
Observe two new firewall address objects: ToRemote_local_subnet_1, and ToRemote_remote_subnet_
1.
6. Click Policy & Objects > IPv4 Policy.

Observe the new two firewall policies: one from port3 to ToRemote and another from ToRemote to port3.
You will see that the Action is both cases is ACCEPT.
7. Click Network > Static Routes, and look at the static route added by the wizard.

DO Review
NOT the REPRINT
Objects Created by the VPN Wizard Exercise 1: Configuring Route-Based IPsec VPN
© FORTINET
Stop and think!

Why did the IPsec wizard add a second route using the blackhole interface?
FortiGate drops all packets routed to the blackhole interface. The IPsec wizard added two static routes: one
to the IPsec virtual interface, with a distance of 10 and one to the blackhole interface, with a distance of
254. The route with the lowest distance, the one to the IPsec virtual interface, takes precedence. However,
if the VPN is down, the route to the blackhole interface becomes active,even though it was originally the
higher-distance route. So, traffic destined to the VPN is now routed to the blackhole interface and dropped.
The route to the blackhole interface prevents FortiGate from sending VPN traffic to the default route while
the VPN is down. The route to the blackhole interface also prevents FortiGate from creating unnecessary
sessions in the session table.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Policy-Based IPsec VPN
For learning purposes, you will configure the second FortiGate device differently. During this exercise, you will
create the VPN on Remote-FortiGate using a policy-based configuration, without using the wizard.
Show Policy-Based VPN Settings in the GUI
By default, policy-based configurations are hidden in the GUI. Now, you will show policy-based VPN settings in
the GUI.
To show policy-based VPN settings in the GUI

2. Click System > Feature Visibility.
3. Under the Additional Features section, enable Policy-based IPsec VPN .
4. Click Apply.
Create a Policy-Based VPN
Now, you will create phases 1 and 2.
To create a policy-based VPN

1. Continuing on the Remote-FortiGate GUI, click VPN > IPsec Tunnels.
3. Configure the following:
Field Value
Name ToLocal
Template Type Custom
4. Click Next.
5. Disable Enable IPsec Interface Mode.

DO Create
NOT REPRINT
a Policy-Based VPN Exercise 2: Configuring Policy-Based IPsec VPN
© FORTINET
Field Value
Remote Gateway Static IP Address
Interface port4
Mode Config <disable> (leave it unchecked)
NAT Traversal <disable>
Dead Peer Detection On Idle
Method Pre-shared Key
7. Keep the default values for the remaining settings.

8. In the Phase 2 Selectors section, click the edit icon to edit the settings.
9. Complete the following:
Field Value
Local Address 10.0.2.0/24
Remote Address 10.0.1.0/24

DO Exercise
NOT2: Configuring
REPRINT Policy-Based IPsec VPN Create a Firewall Policy for a Policy-Based VPN
© FORTINET
10. Click OK.
Now the quick mode selectors on both sides mirror each other. If that is not the case,
the tunnel will not come up.
Create a Firewall Policy for a Policy-Based VPN
Now, you will create a firewall policy to allow traffic. In a policy-based configuration, only one policy is required to
allow traffic initiated on either side. The policy is applied bidirectionally.
To create a firewall policy for a policy-based VPN

1. Continuing on the Remote-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
Field Value
Name VPN_traffic_to_Local FGT
Incoming Interface port6
Outgoing Interface port4
Source REMOTE_SUBNET
Destination LOCAL_SUBNET
Schedule always
Service ALL
Action IPsec

DO Move
NOT REPRINT
a Firewall Policy Exercise 2: Configuring Policy-Based IPsec VPN
© FORTINET
Field Value
VPN Tunnel ToLocal
Allow traffic to be initiated <enable>

from the remote site
4. Click OK.
This is probably the first time you have seen the action IPsec for a firewall policy. In
previous exercises, the available actions were Accept and Deny only. IPsec is
displayed in the GUI only when the policy-based VPN settings are not hidden.
Move a Firewall Policy
The new policy was created below the firewall policy for Internet traffic. Now, you will need to move the new
policy up for the VPN traffic to match it.
To move a firewall policy

1. Continuing on the Remote-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Expand the list of firewall policies for port6 to port4.
3. Drag the policy VPN_traffic_to_Local FGT above the Internet policy.

DO Exercise
NOT2: Configuring
REPRINT Policy-Based IPsec VPN Move a Firewall Policy
© FORTINET
Stop and think!
In the previous exercise, the VPN wizard added a static route for the VPN traffic. Why don't you need to add
a static route in this case?
The VPN wizard creates the IPsec using a route-based configuration, which always requires additional
routes (usually static routes) to route the traffic through the IPsec virtual interface. This is usually not
required in a policy-based configuration. Policy-based configurations require the VPN traffic to match a
firewall policy with the action IPsec. Because traffic from 10.0.2.0/24 to 10.0.1.0/24 matches the
existing default route, and so the IPsec firewall policy from port6 to port4, no additional routes are needed.

DO NOT REPRINT
© FORTINET
Exercise 3: Testing and Monitoring the VPN
You have finished the configuration on both FortiGate devices. Now, you will test the VPN.
Test the VPN
Now, you will test the VPN.
To test the VPN

2. Click Monitor > IPsec Monitor.
Notice that the VPN is currently down.
3. Right-click the VPN, and then select Bring Up.
The Status column of the VPN contains a green up arrow, indicating that the tunnel is up.
Stop and think!

Do I always have to bring up the tunnel manually after creating it?
No. In the current configuration, the tunnel will stay down until you either bring it up manually, or there is
traffic that should be routed through the tunnel. Because you are not generating traffic between
10.0.1.0/24 and 10.0.2.0/24 yet, the tunnel is still down. If you had generated the required traffic
while the tunnel was down, it would have come up automatically.
4. On the Local-Windows VM, open a command prompt window, and then run the following command to ping
Remote-Windows:
ping 10.0.2.10
The ping should work.
5. Close the command prompt window.

6. Return to the Local-FortiGate GUI, and then click Monitor > IPsec Monitor.
7. Click Refresh to refresh the screen.

DO Exercise
NOT3: Testing
REPRINT
and Monitoring the VPN Test the VPN
© FORTINET
You will notice that counters for Incoming Data and Outgoing Data have increased. This indicates that the
traffic between 10.0.1.10 and 10.0.2.10 is successfully being encrypted and routed through the tunnel.

DO NOT REPRINT
© FORTINET
Exercise 4: Configuring an IPsec VPN Between Two
FortiGate Devices
In this exercise, you will configure one VPN for redundancy between Local-FortiGate and Remote-FortiGate.
Prerequisites
Before beginning this lab, you must restore a configuration file on Remote-FortiGate and Local-FortiGate.
Make sure to restore the correct configuration on each FortiGate using the following
steps. Failure to restore the correct configuration on each FortiGate will prevent you
from doing the lab exercise.
Once you load the configurations, Remote-FortiGate will be pre-configured for VPN
redundancy. The steps to configure Remote-FortiGate are included in this exercise,
however, this exercise provides instructions where you can review this configuration
for Remote-FortiGate.
To restore the Remote-FortiGate configuration file


4. Click Desktop > Resources > FortiGate-Infrastructure > Site-to-Site-IPsec > Redundant IPsec VPN >
remote-redundant-VPN.conf, and then click Open.
5. Click OK.

DO Exercise
NOT4: Configuring
REPRINT an IPsec VPN Between Two FortiGate Devices Create Phases 1 and 2 on Local-FortiGate
© FORTINET
To restore the Local-FortiGate configuration file

4. Click Desktop > Resources > FortiGate-Infrastructure > Site-to-Site-IPsec > Redundant IPsec VPN >
local-redundant-VPN.conf, and then click Open.
5. Click OK.
Create Phases 1 and 2 on Local-FortiGate
Now, you will configure the IPsec VPN by creating phases 1 and 2.
To create phases 1 and 2

2. Click VPN > IPsec Tunnels, and then click Create New.
3. Complete the following:
Field Value
Name Remote_1
Template Type Custom
4. Click Next.
5. In the Network section, configure the following settings:

DO Create
NOT a Static Route for a Route-based VPN on Local-
FortiGate REPRINT Exercise 4: Configuring an IPsec VPN Between Two
FortiGate Devices
© FORTINET
Field Value
Remote Gateway Static IP Address
Interface port1
Dead Peer Detection On Idle
6. In the Authentication section, configure the following settings:
Field Value
Method Pre-shared Key
7. Keep the default values for the remaining settings.

8. Click OK.
Create a Static Route for a Route-based VPN on Local-FortiGate
The VPN was created as route-based. This means that the VPN requires at least one route (static or dynamic) to
forward the traffic through the tunnel. Now, you will create a static route for that purpose.
To create a static route for a route-based VPN

1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
Field Value
Destination Subnet
10.0.2.0/24
Interface Remote_1
4. Click OK.
Create an Interface Zone on Local-FortiGate
Now, you will create an interface zone that will includes the two IPsec virtual interfaces (the virtual IPsec
interfaces for the primary and secondary VPNs). It is not mandatory to have an interface zone for redundant
VPNs, but it minimizes the number of firewall policies you must create later.

DO Exercise
NOT4: Configuring
Devices REPRINT an IPsec VPN Between Two FortiGate Create Firewall Policies for VPN Traffic on Local-
FortiGate
© FORTINET
To create an interface zone
1. Continuing on the Local-FortiGate GUI, click Network > Interfaces.
2. Click Create New, and then select Zone.
Field Value
Name VPN
Interface Members Remote_1
4. Click OK.
You will add a second VPN interface to the zone in a later exercise, when you
configure a backup VPN.
Create Firewall Policies for VPN Traffic on Local-FortiGate
Now, you will create two firewall policies between port3 and VPN , one for each traffic direction.
To create the firewall policies for VPN traffic

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
Field Value
Name Remote_out
Incoming Interface port3
Outgoing Interface VPN
Source LOCAL_SUBNET

DO Create
NOT Firewall Policies for VPN Traffic on Local-
FortiGate REPRINT Exercise 4: Configuring an IPsec VPN Between Two FortiGate
Devices
© FORTINET
Field Value
Destination REMOTE_SUBNET
Schedule always
Service ALL
Action ACCEPT
4. In the Firewall/Network Options section, disable NAT.

5. Click OK.
6. Click Create New one more time.
Field Value
Name Remote_in
Incoming Interface VPN
Outgoing Interface port3
Source REMOTE_SUBNET
Destination LOCAL_SUBNET
Schedule always
Service ALL
Action ACCEPT
8. In the Firewall/Network Options section, disable NAT.

9. Click OK.

DO Exercise
NOT4: Configuring
Devices REPRINT an IPsec VPN Between Two FortiGate Review the VPN Configuration on Remote-
FortiGate
© FORTINET
Review the VPN Configuration on Remote-FortiGate
For the purposes of this lab, Remote-FortiGate is preconfigured for you. This configuration was included in the
configuration file you uploaded at the beginning of this exercise. You can review this configuration by completing
the steps that follow.
To review the Remote-FortiGate configuration

1. Continuing on the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1
with the user name admin and password password.
2. To review the VPN configuration, click VPN > IPsec Tunnels, and review Local_1.
3. To review the static route for the route-based VPN, click Network > Static Routes, and review Local_1.
4. To review the interface zone, click Network > Interfaces, and in the Zone section, expand VPN , and review
Local_1.
5. To review the firewall policies for VPN traffic on Remote-FortiGate, click Policy & Objects > IPv4 Policy, and
review Local_out and Local_in.
Test the IPsec VPN
Now, you will test the VPN by generating some traffic and confirming that the VPN comes up.
To test the IPsec VPN

1. Continuing on the Local-Windows VM, open a command prompt window.
2. Generate a ping to the Remote-Windows VM (10.0.2.10):
ping 10.0.2.10
FortiGate may not have previously established the VPN. If so, the first few pings will
fail while FortiGate negotiates and establishes the VPN.
3. Return to the browser tab where you are logged into the Local-FortiGate GUI, and click Monitor > IPsec
Monitor.
4. Confirm that the Remote_1 VPN is up.
You should see a green arrow in the Status column.
5. Close the command prompt.

DO NOT REPRINT
© FORTINET
Exercise 5: Configuring a Backup IPsec VPN
In this exercise, you will create a second route-based VPN for redundancy. This time, configure the VPN from
Local-FortiGate port2 to Remote-FortiGate port5.
Remote FortiGate is pre-configured for VPN redundancy.
Configure a Backup VPN on Local-FortiGate
Now, you will configure a backup VPN on Local-FortiGate.
Take the Expert Challenge!

On the Local-FortiGate GUI (10.0.1.254 | admin/password), configure the following to create a
route-based redundant VPN:
1. Create a new VPN IPsec tunnel:

l Use Remote_2 for the VPN name.
l Use 10.200.4.1 for the remote IP address.
l Use port2 for the interface.
2. Add a static route using Remote_2 with administrative distance of 20. Note the Distance and Priority
values of the existing default route.
3. Edit the network interface zone named VPN , and in Interface Members add Remote_2.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Review the Backup VPN Configuration on Remote-FortiGate on
page 93.
To configure a backup VPN on Local-FortiGate

2. Repeat the configuration steps in To create phases 1 and 2 on page 87 to create phases 1 and 2.
l Use Remote_2 for the VPN name.
l Use 10.200.4.1 for the remote IP address.
l Use port2 for the interface.

DO Exercise
NOT5: REPRINT
Configuring a Backup IPsec VPN Review the Backup VPN Configuration on Remote-FortiGate
© FORTINET
3. Click Network > Static Routes.
5. Add the following static route:
Field Value
Destination Subnet
10.0.2.0/24
Interface Remote_2
Administrative Distance 20
6. Click OK.
7. Click Network > Interfaces.
8. Edit the zone VPN .
9. In the Interface Members field, add Remote_2.
10. Click OK.
Review the Backup VPN Configuration on Remote-FortiGate
For the purpose of this lab, Remote-FortiGate is preconfigured for you. This configuration was included in the
configuration file you uploaded at the beginning of the previous exercise. You can review this configuration by
completing the steps that follow.
To review the Remote-FortiGate configuration

1. Continuing on the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1
with the user name admin and password password.
2. To review the VPN configuration, click VPN > IPsec Tunnels, and review Local_2.
3. To review the static route for the route-based VPN, click Network > Static Routes and review Local_2.
4. To review the interface zone, click Network > Interfaces, and in the Zone section, expand VPN , and review
Local_2.
5. To review the firewall policies for VPN traffic on Remote-FortiGate, click Policy & Objects > IPv4 Policy, and
review Local_out and Local_in.
Test the VPN Redundancy
Now, you will test the VPN failover. You will use the sniffer tool to monitor which VPN the traffic is using.
To test the VPN redundancy

1. Continuing on Local-Windows, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
2. At the login prompt, enter the user name admin and password password.
3. Run the following command to sniffer all ICMP traffic to 10.0.2.10 with verbosity 4:

DO Test
NOT REPRINT
the VPN Redundancy Exercise 5: Configuring a Backup IPsec VPN
© FORTINET
diagnose sniffer packet any 'icmp and host 10.0.2.10' 4
4. Open a command prompt window, and then run a continuous ping to Remote-Windows:
ping –t 10.0.2.10
5. Return the the PuTTY session and view the sniffer output.
It will show that Local-FortiGate is routing the packets through the VPN Remote_1:
28.040086 port3 in 10.0.1.10 -> 10.0.2.10: icmp: echo request

28.040107 Remote_1 out 10.0.1.10 -> 10.0.2.10: icmp: echo request
28.041188 Remote_1 in 10.0.2.10 -> 10.0.1.10: icmp: echo reply
28.041196 port3 out 10.0.2.10 -> 10.0.1.10: icmp: echo reply
Now, you will simulate a failure in the VPN Remote_1 and observe how the FortiGate starts using the
secondary VPN Remote_2.
6. Return to the browser tab where you are logged into the Local-FortiGate GUI, and click Network > Interfaces.
7. Edit port1.
8. Set the Interface State to Disabled to bring down the tunnel Remote_1.
9. Click OK.
10. Wait a few minutes until FortiGate detects the failure in the VPN Remote_1 and reroutes the traffic through
Remote_2.
11. Return to the PuTTY session and view the sniffer output again.
Notice that the VPN Remote_2 is being used now:
546.352063 port3 in 10.0.1.10 -> 10.0.2.10: icmp: echo request

546.352090 Remote_2 out 10.0.1.10 -> 10.0.2.10: icmp: echo request
546.353546 Remote_2 in 10.0.2.10 -> 10.0.1.10: icmp: echo reply
546.353560 port3 out 10.0.2.10 -> 10.0.1.10: icmp: echo reply
12. Close the PuTTY session and command prompt.

13. To finish this exercise, return to the browser tab where you are logged on to the Local-FortiGate GUI, and click
Network > Interfaces.
14. Edit port1.
15. Return the Interface State to Enabled.
16. Click OK.
Omitting these last steps may prevent you from doing the next exercise.
17. Close your browser.


LAB 5 - Configuring A Site-to-Site IPsec VPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LAB 5 - Configuring A Site-to-Site IPsec VPN

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

To restore the Remote-FortiGate configuration file

72 FortiGate Infrastructure 6.0 Lab Guide

3. Click Local PC, and then click Upload.

To restore the Local-FortiGate configuration file

3. Click Local PC, and then click Upload.

FortiGate Infrastructure 6.0 Lab Guide 73

Create a VPN Using the VPN Wizard

To create a VPN using the VPN wizard

Template Type Site to Site

Remote Device Type FortiGate

NAT Configuration No NAT between sites

Remote Device IP Address

Outgoing interface port1

Authentication Method Pre-shared Key

Pre-shared Key fortinet

74 FortiGate Infrastructure 6.0 Lab Guide

Local Interface port3

Local Subnets 10.0.1.0/24

Remote Subnets 10.0.2.0/24

10. Click Show Tunnel List.

Review the Objects Created by the VPN Wizard

To review the objects created by the VPN wizard

FortiGate Infrastructure 6.0 Lab Guide 75

Stop and think!

76 FortiGate Infrastructure 6.0 Lab Guide

6. Click Policy & Objects > IPv4 Policy.

FortiGate Infrastructure 6.0 Lab Guide 77

Stop and think!

78 FortiGate Infrastructure 6.0 Lab Guide

Show Policy-Based VPN Settings in the GUI

To show policy-based VPN settings in the GUI

Create a Policy-Based VPN

Now, you will create phases 1 and 2.

To create a policy-based VPN

Template Type Custom

FortiGate Infrastructure 6.0 Lab Guide 79

Remote Gateway Static IP Address

Mode Config <disable> (leave it unchecked)

NAT Traversal <disable>

Dead Peer Detection On Idle

Method Pre-shared Key

Pre-shared Key fortinet

7. Keep the default values for the remaining settings.

9. Complete the following:

Local Address 10.0.2.0/24

Remote Address 10.0.1.0/24

80 FortiGate Infrastructure 6.0 Lab Guide

10. Click OK.

Create a Firewall Policy for a Policy-Based VPN

To create a firewall policy for a policy-based VPN

Name VPN_traffic_to_Local FGT

Incoming Interface port6

Outgoing Interface port4

FortiGate Infrastructure 6.0 Lab Guide 81

VPN Tunnel ToLocal

Allow traffic to be initiated <enable>

Move a Firewall Policy

To move a firewall policy

3. Drag the policy VPN_traffic_to_Local FGT above the Internet policy.

82 FortiGate Infrastructure 6.0 Lab Guide

FortiGate Infrastructure 6.0 Lab Guide 83

Test the VPN