Chapter 10 IPsec VPN : Hub-and-spoke configurations : Dynamic spokes configuration example : Configure the spokes : Define the IPsec configuration
  
Define the IPsec configuration
At each spoke, create the following configuration.
To define the Phase 1 parameters
1. At the spoke, go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button). Enter the following information:
Name
Type a name, for example, toHub.
Remote Gateway
Select Static IP Address.
IP Address
Enter 172.16.10.1.
Local Interface
Select Port2.
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. The value must be identical to the preshared key that you specified previously in the FortiGate_1 configuration
Peer Options
Select Any peer ID.
To define the Phase 2 parameters
1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
2. Enter the following information and select OK:
Name
Enter a name for the tunnel, for example, toHub_ph2.
Phase 1
Select the name of the Phase 1 configuration that you defined previously, for example, toHub.
Advanced
Select to show the following Quick Mode Selector settings.
Source
Enter the address of the protected network at this spoke.
For spoke_1, this is 10.1.1.0/24.
For spoke_2, this is 10.1.2.0/24.
Destination
Enter the aggregate protected subnet address, 10.1.0.0/16.