fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configure the hub Hub-and-spoke configurations<br />
5 In the policy list, arrange the policies in the following order:<br />
IPsec policies that control traffic between the hub and the spokes first<br />
the default security policy last<br />
Configuring communication between spokes (policy-based VPN)<br />
For a policy-based hub-and-spoke VPN, you define a concentrator to enable<br />
communication between the spokes.<br />
To define the VPN concentrator<br />
1 At the hub, go to VPN > IPSEC > Concentrator and select Create New.<br />
2 In the Concentrator Name field, type a name to identify the concentrator.<br />
3 From the Available Tunnels list, select a VPN tunnel and then select the right-pointing<br />
arrow.<br />
To remove tunnels from the VPN concentrator, select the tunnel in the Members list and<br />
select the left-pointing arrow.<br />
4 Repeat Step 3 until all of the tunnels associated with the spokes are included in the<br />
concentrator.<br />
5 Select OK.<br />
Configuring communication between spokes (route-based VPN)<br />
For a route-based hub-and-spoke VPN, there are several ways you can enable<br />
communication between the spokes:<br />
put all of the IPsec interfaces into a zone and enable intra-zone traffic. This eliminates<br />
the need for any security policy for the VPN, but you cannot apply UTM features to<br />
scan the traffic for security threats.<br />
put all of the IPsec interfaces into a zone and create a single zone-to-zone security<br />
policy<br />
create a security policy for each pair of spokes that are allowed to communicate with<br />
each other. The number of policies required increases rapidly as the number of spokes<br />
increases.<br />
Using a zone as a concentrator<br />
A simple way to provide communication among all of the spokes is to create a zone and<br />
allow intra-zone communication. You cannot apply UTM features using this method.<br />
1 Go to System > Network > Interface.<br />
2 Select the down-arrow on the Create New button and select Zone.<br />
3 In the Zone Name field, enter a name, such as Our_VPN_zone.<br />
4 Clear Block intra-zone traffic.<br />
5 In the Interface Members list, select the IPsec interfaces that are part of your VPN.<br />
6 Select OK.<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
90 01-434-112804-20120111<br />
http://docs.fortinet.com/