fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Hub-and-spoke configurations Configure the hub<br />
Authentication<br />
Configure the hub<br />
Each spoke uses the address of its own protected subnet as the IPsec source selector<br />
and as the source address in its VPN security policy. The remote gateway is the public IP<br />
address of the hub FortiGate unit.<br />
Using an address group<br />
If you want to create a hub-and-spoke VPN between existing private networks, the<br />
subnet addressing usually does not fit the aggregated subnet model discussed earlier. All<br />
of the spokes and the hub will need to include the addresses of all the protected<br />
networks in their configuration.<br />
On FortiGate units, you can define a named firewall address for each of the remote<br />
protected networks and add these addresses to a firewall address group. For a policybased<br />
VPN, you can then use this address group as the destination of the VPN security<br />
policy.<br />
For a route-based VPN, the destination of the VPN security policy can be set to All. You<br />
need to specify appropriate routes for each of the remote subnets.<br />
Authentication is by a common preshared key or by certificates. For simplicity, the<br />
examples in this chapter assume that all spokes use the same preshared key.<br />
At the FortiGate unit that acts as the hub, you need to<br />
configure the VPN to each spoke<br />
configure communication between spokes<br />
You configure communication between spokes differently for a policy-based VPN than for<br />
a route-based VPN. For a policy-based VPN, you configure a VPN concentrator. For a<br />
route-based VPN, you must either define security policies or group the IPsec interfaces<br />
into a zone<br />
Define the hub-spoke VPNs<br />
Perform these steps at the FortiGate unit that will act as the hub. Although this procedure<br />
assumes that the spokes are all FortiGate units, a spoke could also be VPN client<br />
software, such as FortiClient Endpoint Security.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 87<br />
http://docs.fortinet.com/