fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configure the spokes Hub-and-spoke configurations<br />
3 Select OK.<br />
Configure the spokes<br />
NAT Enable.<br />
UTM<br />
If you want to apply UTM features to this traffic, select<br />
the appropriate profiles.<br />
Although this procedure assumes that the spokes are all FortiGate units, a spoke could<br />
also be VPN client software, such as FortiClient Endpoint Security.<br />
Perform these steps at each FortiGate unit that will act as a spoke.<br />
To create the phase 1 and phase_2 configurations<br />
1 At the spoke, define the phase 1 parameters that the spoke will use to establish a<br />
secure connection with the hub. See “Auto Key phase 1 parameters” on page 39.<br />
Enter these settings:<br />
Remote Gateway Select Static IP Address.<br />
IP Address<br />
Enable IPsec<br />
Interface Mode<br />
Type the IP address of the interface that connects to the<br />
hub.<br />
Enable if you are creating a route-based VPN.<br />
Clear if you are creating a policy-based VPN.<br />
2 Create the phase 2 tunnel definition. See “Phase 2 parameters” on page 57. Select<br />
the set of phase 1 parameters that you defined for the hub. You can select the name<br />
of the hub from the Static IP Address part of the list.<br />
Configuring security policies for hub-to-spoke communication<br />
1 Create an address for this spoke. See “Defining policy addresses” on page 63. Enter<br />
the IP address and netmask of the private network behind the spoke.<br />
2 Create an address to represent the hub. See “Defining policy addresses” on page 63.<br />
Enter the IP address and netmask of the private network behind the hub.<br />
3 Define the security policy to enable communication with the hub.<br />
Route-based VPN security policy<br />
Define two security policies to permit communications to and from the hub. Enter<br />
these settings:<br />
Source Interface/Zone Select the virtual IPsec interface you created.<br />
Source Address Name Select the hub address you defined in Step 1.<br />
Destination<br />
Select the spoke’s interface to the internal (private)<br />
Interface/Zone<br />
network.<br />
Destination Address<br />
Name<br />
Select the spoke addresses you defined in Step 2.<br />
Action Select ACCEPT<br />
NAT Enable<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
92 01-434-112804-20120111<br />
http://docs.fortinet.com/