Configure the spokes
Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.
Perform these steps at each FortiGate unit that will act as a spoke.
Creating the Phase 1 and phase_2 configurations
- At the spoke, define the Phase 1 parameters that the spoke will use to establish a secure connection with the hub. See Phase 1 parameters. Enter these settings:
- Create the Phase 2 tunnel definition. See Phase 2 parameters. Select the set of Phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list.
Remote Gateway |
Select Static IP Address. |
IP Address |
Type the IP address of the interface that connects to the hub. |
Configuring security policies for hub-to-spoke communication
- Create an address for this spoke. See Defining policy addresses. Enter the IP address and netmask of the private network behind the spoke.
- Create an address to represent the hub. See Defining policy addresses. Enter the IP address and netmask of the private network behind the hub.
- Define the security policy to enable communication with the hub.
Route-based VPN security policy
Define two security policies to permit communications to and from the hub.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter these settings:
Incoming Interface |
Select the virtual IPsec interface you created. |
Source Address |
Select the hub address you defined. |
Outgoing Interface |
Select the spoke’s interface to the internal (private) network. |
Destination Address |
Select the spoke addresses you defined. |
Action |
Select ACCEPT. |
Enable NAT |
Enable |
Incoming Interface |
Select the spoke’s interface to the internal (private) network. |
Source Address |
Select the spoke address you defined. |
Outgoing Interface |
Select the virtual IPsec interface you created. |
Destination Address |
Select the hub destination addresses you defined. |
Action |
Select ACCEPT. |
Enable NAT |
Enable |
Policy-based VPN security policy
Define an IPsec security policy to permit communications with the hub. See Defining VPN security policies.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter these settings in particular:
Incoming Interface |
Select the spoke’s interface to the internal (private) network. |
Source Address |
Select the spoke address you defined. |
Outgoing Interface |
Select the spoke’s interface to the external (public) network. |
Destination Address |
Select the hub address you defined. |
VPN Tunnel |
Select Use Existing and select the name of the Phase 1 configuration you defined. |
Configuring security policies for spoke-to-spoke communication
Each spoke requires security policies to enable communication with the other spokes. Instead of creating separate security policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The security policy then applies to all of the spokes in the group.
- Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group.
- Define the security policy to enable communication between this spoke and the spokes in the address group you created.
Policy-based VPN security policy
Define an IPsec security policy to permit communications with the other spokes. See Defining VPN security policies. Enter these settings in particular:
Route-based VPN security policy
Define two security policies to permit communications to and from the other spokes.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter these settings in particular:
- Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
Incoming Interface |
Select the virtual IPsec interface you created. |
Source Address |
Select the spoke address group you defined. |
Outgoing Interface |
Select the spoke’s interface to the internal (private) network. |
Destination Address |
Select this spoke’s address name. |
Action |
Select ACCEPT. |
Enable NAT |
Enable |
Incoming Interface |
Select the spoke’s interface to the internal (private) network. |
Source Address |
Select this spoke’s address name. |
Outgoing Interface |
Select the virtual IPsec interface you created. |
Destination Address |
Select the spoke address group you defined. |
Action |
Select ACCEPT. |
Enable NAT |
Enable |
Policy-based VPN security policy
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following:
Incoming Interface |
Select this spoke’s internal (private) network interface. |
Source Address |
Select this spoke’s source address. |
Outgoing Interface |
Select the spoke’s interface to the external (public) network. |
Destination Address |
Select the spoke address group you defined. |
VPN Tunnel |
Select Use Existing and select the name of the Phase 1 configuration you defined. |
Place this policy or policies in the policy list above any other policies having similar source and destination addresses.