fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Hub-and-spoke configurations Configure the hub<br />
4 Define security policies to permit communication between the hub and the spokes.<br />
For more information, see “Defining VPN security policies” on page 64.<br />
Route-based VPN security policies<br />
Define ACCEPT security policies to permit communications between the hub and the<br />
spoke. You need one policy for each direction. Enter these settings in particular:<br />
Source Interface/Zone<br />
Select the VPN Tunnel (IPsec Interface) you configured in<br />
Step 1.<br />
Source Address Name<br />
Select the address name you defined in Step 2 for the<br />
private network behind the spoke FortiGate unit.<br />
Destination<br />
Interface/Zone<br />
Select the hub’s interface to the internal (private) network.<br />
Destination Address<br />
Name<br />
Select the source address that you defined in Step 1.<br />
Action Select ACCEPT.<br />
NAT Enable.<br />
Source Interface/Zone<br />
Select the address name you defined in Step 2 for the<br />
private network behind the spoke FortiGate units.<br />
Source Address Name<br />
Select the VPN Tunnel (IPsec Interface) you configured in<br />
Step 1.<br />
Destination<br />
Interface/Zone<br />
Select the source address that you defined in Step 1.<br />
Destination Address<br />
Name<br />
Select the hub’s interface to the internal (private) network.<br />
Action Select ACCEPT.<br />
NAT Enable.<br />
Policy-based VPN security policy<br />
Define an IPsec security policy to permit communications between the hub and the<br />
spoke. Enter these settings in particular:<br />
Source Interface/Zone<br />
Select the hub’s interface to the internal (private)<br />
network.<br />
Source Address Name Select the source address that you defined in Step 1.<br />
Destination<br />
Interface/Zone<br />
Select the hub’s public network interface.<br />
Destination Address<br />
Name<br />
Action IPSEC<br />
VPN Tunnel<br />
Select the address name you defined in Step 2 for the<br />
private network behind the spoke FortiGate unit.<br />
Select the name of the phase 1 configuration that you<br />
created for the spoke in Step 1.<br />
Select Allow inbound to enable traffic from the remote<br />
network to initiate the tunnel.<br />
Select Allow outbound to enable traffic from the local<br />
network to initiate the tunnel.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 89<br />
http://docs.fortinet.com/