Steps executed on a Fortigate 60F running FortiOS: 7.2.4
Step 1: Create a Location
Go to Policy Locations and create a new Location
Add name, subnet range name and subnet range
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/fff6732da3f7407b8824963049283df8.png)
Step 2: Create IPSEC tunnel
On the Axis Admin Portal:
Go to settings > Connectors > Tunnel
Create new IPSEC tunnel and associate the IPSEC tunnel with the Location you created in step 1
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/1d5334ae73584cd59e6bd4cca351f398.png)
Step 3: Create a Policy Rule
Go to Policy > Rules
Add a new rule, make sure to set the Source as your home location, set the action to "Allow", and click Apply/Commit changes
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/3a406e8387d14db48c178c0d7aa65506.png)
Step 4: Create Custom Tunnel on the Fortigate
Click Next
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/4807989c16fd4e1e994901e2e2e748a1.png)
Step 5: IPSEC generic settings
Chosen settings:
· Choose dynamic DNS (non-standard setting)
· Choose Mode Config (non-standard setting) < the remote site will inject default route
· NAT traversal (standard setting)
· The rest are all standard settings too
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/883f496076d44fb2bce090929dbe53a9.png)
Step 6: Phase 1, PSK settings
Fill PSK and chose IKE Version 2.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/1c8ae3298514411f9a5783e0c01bbfc4.png)
Step 7: Phase 1 proposal settings
Just leave in the standard settings but make sure the "ID" field of the Axis Tunnel matches the "Local ID" field.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/6a600841fb8544caa3368e70916534c3.png)
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/dedce7e1725c453993db80398974e9f5.png)
Step 8: Phase 2 settings
Just use the standard settings
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/a5385b63b18041b1a7f2011b357adfda.png)
Step 9: Create new SD-WAN Zone
Create a new SD-WAN Zone
And add the new Axis interfaces
In my case: SD-WAN Zone "Overlay"
Interfaces: Axis-Primary and Axis-Backup
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/e5e5c5d6cb0746469d52d20e1a62a4a4.png)
Step 10: Add the Axis Interfaces to IP SLA (not mandatory)
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/4026182683134b738af5963d1e2842f2.png)
Step 11: Create SDWAN Rule
Make sure to select the new SD-WAN Zone and appropriate source
Destination can be anything
Interfaces have to be the Axis VPN interfaces
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/5fd20ce250b8452c856f79dd0dee0ad1.png)
Step 12: Add Firewall Policies
Add two Firewall Policies with NAT disabled to and from Axis to your local subnet
In my case I created a test VLAN called Axis, allocated a subnet which I named "Axis address"
Outgoing interface should be the newly created SD-WAN Zone (Overlay in my case) for all traffic towards Axis VPN and the opposite for return traffic.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/132dbf4574bc4b9aa4283069db6eaa7b.png)
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/0cf949d5626045aeb741b73c3c090883.png)
Proof that my Iphone is using Axis Cloud
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/e2e42bed58064359b9958c5386bb3cd1.png)