Configure the hub
At the FortiGate unit that acts as the hub, you need to:
- Configure the VPN to each spoke
- Configure communication between spokes
You configure communication between spokes differently for a policy-based VPN than for a route-based VPN. For a policy-based VPN, you configure a VPN concentrator. For a route-based VPN, you must either define security policies or group the IPsec interfaces into a zone.
Define the hub-spoke VPNs
Perform these steps at the FortiGate unit that will act as the hub. Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.
Configuring the VPN hub
- At the hub, define the Phase 1 configuration for each spoke. See Phase 1 parameters. Enter these settings in particular:
- Define the Phase 2 parameters needed to create a VPN tunnel with each spoke. See Phase 2 parameters. Enter these settings in particular:
Name |
Enter a name to identify the VPN in Phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway |
The remote gateway is the other end of the VPN tunnel. There are three options: |
Local Interface |
Select the FortiGate interface that connects to the remote gateway. This is usually the FortiGate unit’s public interface. |
Name |
Enter a name to identify this spoke Phase 2 configuration. |
Phase 1 |
Select the name of the Phase 1 configuration that you defined for this spoke. |
IPsec VPN in ADVPN hub-and-spoke
IPsec VPN traffic is allowed through a tunnel between an ADVPN hub-and-spoke.
CLI syntax:
config vpn ipsec phase1-interface
edit "int-fgtb"
...
set auto-discovery-sender [enable | disable]
set auto-discovery-receiver [enable | disable]
set auto-discovery-forwarder [enable | disable]
...
next
end
config vpn ipsec phase2-interface
edit "int-fgtb"
...
set auto-discovery-sender phase1 [enable | disable]
...
next
end
Define the hub-spoke security policies
- Define a name for the address of the private network behind the hub. For more information, see Defining policy addresses.
- Define names for the addresses or address ranges of the private networks behind the spokes. For more information, see Defining policy addresses.
- Define the VPN concentrator. See To define the VPN concentrator .
- Define security policies to permit communication between the hub and the spokes. For more information, see Defining VPN security policies.
Route-based VPN security policies
Define ACCEPT security policies to permit communications between the hub and the spoke. You need one policy for each direction.
Adding policies
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter these settings in particular:
Incoming Interface |
Select the VPN Tunnel (IPsec Interface) you configured in Step 1. |
Source Address |
Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit. |
Outgoing Interface |
Select the hub’s interface to the internal (private) network. |
Destination Address |
Select the source address that you defined in Step 1. |
Action |
Select ACCEPT. |
Enable NAT |
Enable. |
Incoming Interface |
Select the VPN Tunnel (IPsec Interface) you configured in Step 1. |
Source Address |
Select the address name you defined in Step 2 for the private network behind the spoke FortiGate units. |
Outgoing Interface |
Select the source address that you defined in Step 1. |
Destination Address |
Select the hub’s interface to the internal (private) network. |
Action |
Select ACCEPT. |
Enable NAT |
Enable. |
Policy-based VPN security policy
Define an IPsec security policy to permit communications between the hub and the spoke.
Adding policies
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter these settings in particular:
Incoming Interface |
Select the hub’s interface to the internal (private) network. |
Source Address |
Select the source address that you defined in Step 1. |
Outgoing Interface |
Select the hub’s public network interface. |
Destination Address |
Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit. |
VPN Tunnel |
Select Use Existing and select the name of the Phase 1 configuration that you created for the spoke in Step 1. |
In the policy list, arrange the policies in the following order:
- IPsec policies that control traffic between the hub and the spokes first
- The default security policy last
Configuring communication between spokes (policy-based VPN)
For a policy-based hub-and-spoke VPN, you define a concentrator to enable communication between the spokes.
To define the VPN concentrator
- At the hub, go to VPN > IPsec Concentrator and select Create New.
- In the Concentrator Name field, type a name to identify the concentrator.
- From the Available Tunnels list, select a VPN tunnel and then select the right-pointing arrow.
- Repeat Step 3 until all of the tunnels associated with the spokes are included in the concentrator.
- Select OK.
Configuring communication between spokes (route-based VPN)
For a route-based hub-and-spoke VPN, there are several ways you can enable communication between the spokes:
- Put all of the IPsec interfaces into a zone and enable intra-zone traffic. This eliminates the need for any security policy for the VPN, but you cannot apply UTM features to scan the traffic for security threats.
- Put all of the IPsec interfaces into a zone and create a single zone-to-zone security policy
- Create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.
Using a zone as a concentrator
A simple way to provide communication among all of the spokes is to create a zone and allow intra-zone communication. You cannot apply UTM features using this method.
- Go to Network > Interfaces.
- Select the down-arrow on the Create New button and select Zone.
- In the Zone Name field, enter a name, such as
Our_VPN_zone
. - Clear Block intra-zone traffic.
- In the Interface Members list, select the IPsec interfaces that are part of your VPN.
- Select OK.
Using a zone with a policy as a concentrator
If you put all of the hub IPsec interfaces involved in the VPN into a zone, you can enable communication among all of the spokes and apply UTM features with just one security policy.
Creating a zone for the VPN
- Go to Network > Interfaces.
- Select the down-arrow on the Create New button and select Zone.
- In the Zone Name field, enter a name, such as
Our_VPN_zone
. - Select Block intra-zone traffic.
- In the Interface Members list, select the IPsec interfaces that are part of your VPN.
- Select OK.
Creating a security policy for the zone
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter the settings: and select OK.
Incoming Interface |
Select the zone you created for your VPN. |
Source Address |
Select All. |
Outgoing Interface |
Select the zone you created for your VPN. |
Destination Address |
Select All. |
Action |
Select ACCEPT. |
Enable NAT |
Enable. |
Using security policies as a concentrator
To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2. Others are similar.
- Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see Defining policy addresses.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter the settings and select OK.
Incoming Interface |
Select the IPsec interface that connects to Spoke 1. |
Source Address |
Select the address of the private network behind Spoke 1. |
Outgoing Interface |
Select the IPsec interface that connects to Spoke 2. |
Destination Address |
Select the address of the private network behind Spoke 2. |
Action |
Select ACCEPT. |
Enable NAT |
Enable. |