Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Dynamic spokes configuration example : Configure the spokes : Define the IPsec configuration
  
Define the IPsec configuration
At each spoke, create the following configuration.
To define the Phase 1 parameters
1. At the spoke, go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 1, enter the following information, and select OK:
Name
Type a name, for example, toHub.
Remote Gateway
Select Static IP Address.
IP Address
Enter 172.16.10.1.
Local Interface
Select Port2.
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. The value must be identical to the preshared key that you specified previously in the FortiGate_1 configuration
Peer Options
Select Accept any peer ID.
Enable IPsec Interface Mode
Select Advanced to see this option. Enable the option to create a route-based VPN.
To define the Phase 2 parameters
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 2, enter the following information, and select OK:
Name
Enter a name for the tunnel, for example, toHub_ph2.
Phase 1
Select the name of the phase 1 configuration that you defined previously, for example, toHub.
Advanced
Select to show the following Quick Mode Selector settings.
Source
Enter the address of the protected network at this spoke.
For spoke_1, this is 10.1.1.0/24.
For spoke_2, this is 10.1.2.0/24.
Destination
Enter the aggregate protected subnet address, 10.1.0.0/16.