Hub And Spoke Vpns; Configuring The Hub - Fortinet FortiGate FortiGate-500 Administration Manual

Hub and spoke VPNs

Hub and spoke VPNs

Configuring the hub

288
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as
a hub. The peers that connect to the hub are known as spokes. The hub functions as
a concentrator on the network, managing the VPN connections between the spokes.
To configure a hub-and-spoke VPN, you must configure both the hub and spokes.
Use the following steps to configure the central FortiGate unit that functions as the
hub:
• add the VPN tunnels.
• add a VPN concentrator.
• add a firewall policy.
Note: You must add the VPN tunnels before adding the concentrator. You must also add the
concentrator before adding the firewall policy.
To configure the VPN settings for the hub
1 Configure a tunnel for each spoke. Choose between a manual key tunnel or an
AutoIKE tunnel.
Note: If you use manual key tunnels, the local SPI values for each spoke must be different.
2 Add a destination addresses for each spoke. The destination address is the address
of the spoke (either a client on the Internet or a network located behind a gateway).
See "To add an address" on page
3 Add the concentrator configuration. This step groups the tunnels together on the
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part
of the AutoIKE phase 2 configuration or the manual key configuration.
See "To add an address" on page
4 Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic
through the hub and allow inbound and outbound VPN connections between the hub
and the spokes. The encrypt policy for each spoke must include the tunnel name of
the spoke. The source address must be Internal_All. Use the following configuration
for the encrypt policies:
204.
204.
01-28006-0007-20041105
VPN
Fortinet Inc.