Using aggregated subnets
If you are creating a new network, where subnet IP addresses are not already assigned, you can simplify the VPN configuration by assigning spoke subnets that are part of a large subnet.
All spokes use the large subnet address, 10.1.0.0/16 for example, as
• the IPsec destination selector
• the destination of the security policy from the private subnet to the VPN (required for policy-based VPN, optional for route-based VPN)
• the destination of the static route to the VPN (route-based)
Each spoke uses the address of its own protected subnet as the IPsec source selector and as the source address in its VPN security policy. The remote gateway is the public IP address of the hub FortiGate unit.
