Fortinet black logo

Handbook

Configure the spokes

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:57609
Download PDF

Configure the spokes

Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.

Perform these steps at each FortiGate unit that will act as a spoke.

Creating the Phase 1 and phase_2 configurations
  1. At the spoke, define the Phase 1 parameters that the spoke will use to establish a secure connection with the hub. See Phase 1 parameters. Enter these settings:
  2. Remote Gateway

    Select Static IP Address.

    IP Address

    Type the IP address of the interface that connects to the hub.

  3. Create the Phase 2 tunnel definition. See Phase 2 parameters. Select the set of Phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list.

Configuring security policies for hub-to-spoke communication

  1. Create an address for this spoke. See Defining policy addresses. Enter the IP address and netmask of the private network behind the spoke.
  2. Create an address to represent the hub. See Defining policy addresses. Enter the IP address and netmask of the private network behind the hub.
  3. Define the security policy to enable communication with the hub.

Route-based VPN security policy

Define two security policies to permit communications to and from the hub.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings:
  4. Incoming Interface

    Select the virtual IPsec interface you created.

    Source Address

    Select the hub address you defined.

    Outgoing Interface

    Select the spoke’s interface to the internal (private) network.

    Destination Address

    Select the spoke addresses you defined.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

    Incoming Interface

    Select the spoke’s interface to the internal (private) network.

    Source Address

    Select the spoke address you defined.

    Outgoing Interface

    Select the virtual IPsec interface you created.

    Destination Address

    Select the hub destination addresses you defined.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

Policy-based VPN security policy

Define an IPsec security policy to permit communications with the hub. See Defining VPN security policies.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter these settings in particular:
  3. Incoming Interface

    Select the spoke’s interface to the internal (private) network.

    Source Address

    Select the spoke address you defined.

    Outgoing Interface

    Select the spoke’s interface to the external (public) network.

    Destination Address

    Select the hub address you defined.

    VPN Tunnel

    Select Use Existing and select the name of the Phase 1 configuration you defined.

    Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Configuring security policies for spoke-to-spoke communication

Each spoke requires security policies to enable communication with the other spokes. Instead of creating separate security policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The security policy then applies to all of the spokes in the group.

  1. Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group.
  2. Define the security policy to enable communication between this spoke and the spokes in the address group you created.

Policy-based VPN security policy

Define an IPsec security policy to permit communications with the other spokes. See Defining VPN security policies. Enter these settings in particular:

Route-based VPN security policy

Define two security policies to permit communications to and from the other spokes.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
  4. Incoming Interface

    Select the virtual IPsec interface you created.

    Source Address

    Select the spoke address group you defined.

    Outgoing Interface

    Select the spoke’s interface to the internal (private) network.

    Destination Address

    Select this spoke’s address name.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

  5. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
  6. Incoming Interface

    Select the spoke’s interface to the internal (private) network.

    Source Address

    Select this spoke’s address name.

    Outgoing Interface

    Select the virtual IPsec interface you created.

    Destination Address

    Select the spoke address group you defined.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

Policy-based VPN security policy

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following:
  3. Incoming Interface

    Select this spoke’s internal (private) network interface.

    Source Address

    Select this spoke’s source address.

    Outgoing Interface

    Select the spoke’s interface to the external (public) network.

    Destination Address

    Select the spoke address group you defined.

    VPN Tunnel

    Select Use Existing and select the name of the Phase 1 configuration you defined.

    Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

    Place this policy or policies in the policy list above any other policies having similar source and destination addresses.

Configure the spokes

Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.

Perform these steps at each FortiGate unit that will act as a spoke.

Creating the Phase 1 and phase_2 configurations
  1. At the spoke, define the Phase 1 parameters that the spoke will use to establish a secure connection with the hub. See Phase 1 parameters. Enter these settings:
  2. Remote Gateway

    Select Static IP Address.

    IP Address

    Type the IP address of the interface that connects to the hub.

  3. Create the Phase 2 tunnel definition. See Phase 2 parameters. Select the set of Phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list.

Configuring security policies for hub-to-spoke communication

  1. Create an address for this spoke. See Defining policy addresses. Enter the IP address and netmask of the private network behind the spoke.
  2. Create an address to represent the hub. See Defining policy addresses. Enter the IP address and netmask of the private network behind the hub.
  3. Define the security policy to enable communication with the hub.

Route-based VPN security policy

Define two security policies to permit communications to and from the hub.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings:
  4. Incoming Interface

    Select the virtual IPsec interface you created.

    Source Address

    Select the hub address you defined.

    Outgoing Interface

    Select the spoke’s interface to the internal (private) network.

    Destination Address

    Select the spoke addresses you defined.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

    Incoming Interface

    Select the spoke’s interface to the internal (private) network.

    Source Address

    Select the spoke address you defined.

    Outgoing Interface

    Select the virtual IPsec interface you created.

    Destination Address

    Select the hub destination addresses you defined.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

Policy-based VPN security policy

Define an IPsec security policy to permit communications with the hub. See Defining VPN security policies.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter these settings in particular:
  3. Incoming Interface

    Select the spoke’s interface to the internal (private) network.

    Source Address

    Select the spoke address you defined.

    Outgoing Interface

    Select the spoke’s interface to the external (public) network.

    Destination Address

    Select the hub address you defined.

    VPN Tunnel

    Select Use Existing and select the name of the Phase 1 configuration you defined.

    Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Configuring security policies for spoke-to-spoke communication

Each spoke requires security policies to enable communication with the other spokes. Instead of creating separate security policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The security policy then applies to all of the spokes in the group.

  1. Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group.
  2. Define the security policy to enable communication between this spoke and the spokes in the address group you created.

Policy-based VPN security policy

Define an IPsec security policy to permit communications with the other spokes. See Defining VPN security policies. Enter these settings in particular:

Route-based VPN security policy

Define two security policies to permit communications to and from the other spokes.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
  4. Incoming Interface

    Select the virtual IPsec interface you created.

    Source Address

    Select the spoke address group you defined.

    Outgoing Interface

    Select the spoke’s interface to the internal (private) network.

    Destination Address

    Select this spoke’s address name.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

  5. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
  6. Incoming Interface

    Select the spoke’s interface to the internal (private) network.

    Source Address

    Select this spoke’s address name.

    Outgoing Interface

    Select the virtual IPsec interface you created.

    Destination Address

    Select the spoke address group you defined.

    Action

    Select ACCEPT.

    Enable NAT

    Enable

Policy-based VPN security policy

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following:
  3. Incoming Interface

    Select this spoke’s internal (private) network interface.

    Source Address

    Select this spoke’s source address.

    Outgoing Interface

    Select the spoke’s interface to the external (public) network.

    Destination Address

    Select the spoke address group you defined.

    VPN Tunnel

    Select Use Existing and select the name of the Phase 1 configuration you defined.

    Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

    Place this policy or policies in the policy list above any other policies having similar source and destination addresses.