Configure the spokes
Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.
Perform these steps at each FortiGate unit that will act as a spoke.
To create the Phase 1 and phase_2 configurations
- At the spoke, define the Phase 1 parameters that the spoke will use to establish a secure connection with the hub. See Phase 1 parameters. Enter these settings:
| Remote Gateway | Select Static IP Address. |
| IP Address | Type the IP address of the interface that connects to the hub. |
- Create the Phase 2 tunnel definition. See Phase 2 parameters. Select the set of Phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list.
Configuring security policies for hub-to-spoke communication
- Create an address for this spoke. See Defining VPN security policies. Enter the IP address and netmask of the private network behind the spoke.
- Create an address to represent the hub. See Defining VPN security policies. Enter the IP address and netmask of the private network behind the hub.
- Define the security policy to enable communication with the hub.
Route-based VPN security policy
Define two security policies to permit communications to and from the hub.
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter these settings:
| Incoming Interface | Select the virtual IPsec interface you created. |
| Source Address | Select the hub address you defined in Step 1. |
| Outgoing Interface | Select the spoke’s interface to the internal (private) network. |
| Destination Address | Select the spoke addresses you defined in Step 2. |
| Action | Select ACCEPT. |
| Enable NAT | Enable |
| Incoming Interface | Select the spoke’s interface to the internal (private) network. |
| Source Address | Select the spoke address you defined in Step 1. |
| Outgoing Interface | Select the virtual IPsec interface you created. |
| Destination Address | Select the hub destination addresses you defined in Step 2. |
| Action | Select ACCEPT. |
| Enable NAT | Enable |
Policy-based VPN security policy
Define an IPsec security policy to permit communications with the hub. See Defining VPN security policies.
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Enter these settings in particular:
| Incoming Interface | Select the spoke’s interface to the internal (private) network. |
| Source Address | Select the spoke address you defined in Step 1. |
| Outgoing Interface | Select the spoke’s interface to the external (public) network. |
| Destination Address | Select the hub address you defined in Step 2. |
| VPN Tunnel | Select Use Existing and select the name of the Phase 1 configuration you defined. Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel. |
Configuring security policies for spoke-to-spoke communication
Each spoke requires security policies to enable communication with the other spokes. Instead of creating separate security policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The security policy then applies to all of the spokes in the group.
- Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group.
- Define the security policy to enable communication between this spoke and the spokes in the address group you created.
Policy-based VPN security policy
Define an IPsec security policy to permit communications with the other spokes. See Defining VPN security policies. Enter these settings in particular:
Route-based VPN security policy
Define two security policies to permit communications to and from the other spokes.
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter these settings in particular:
| Incoming Interface | Select the virtual IPsec interface you created. |
| Source Address | Select the spoke address group you defined in Step Configure the spokes . |
| Outgoing Interface | Select the spoke’s interface to the internal (private) network. |
| Destination Address | Select this spoke’s address name. |
| Action | Select ACCEPT. |
| Enable NAT | Enable |
- Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
| Incoming Interface | Select the spoke’s interface to the internal (private) network. |
| Source Address | Select this spoke’s address name. |
| Outgoing Interface | Select the virtual IPsec interface you created. |
| Destination Address | Select the spoke address group you defined in Step 1. |
| Action | Select ACCEPT. |
| Enable NAT | Enable |
Policy-based VPN security policy
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Enter the following:
| Incoming Interface | Select this spoke’s internal (private) network interface. |
| Source Address | Select this spoke’s source address. |
| Outgoing Interface | Select the spoke’s interface to the external (public) network. |
| Destination Address | Select the spoke address group you defined in Step 1. |
| VPN Tunnel | Select Use Existing and select the name of the Phase 1 configuration you defined. Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel. |
Place this policy or policies in the policy list above any other policies having similar source and destination addresses.
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
