Fortinet fortigate-200a Betriebsanweisung
286
01-28006-0072-20041105
Fortinet Inc.
Hub and spoke VPNs
VPN
Hub and spoke VPNs
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as
a hub. The peers that connect to the hub are known as spokes. The hub functions as
a concentrator on the network, managing the VPN connections between the spokes.
a hub. The peers that connect to the hub are known as spokes. The hub functions as
a concentrator on the network, managing the VPN connections between the spokes.
To configure a hub-and-spoke VPN, you must configure both the hub and spokes.
Configuring the hub
Use the following steps to configure the central FortiGate unit that functions as the
hub:
hub:
• add the VPN tunnels.
• add a VPN concentrator.
• add a firewall policy.
• add a VPN concentrator.
• add a firewall policy.
To configure the VPN settings for the hub
1
Configure a tunnel for each spoke. Choose between a manual key tunnel or an
AutoIKE tunnel.
AutoIKE tunnel.
2
Add a destination addresses for each spoke. The destination address is the address
of the spoke (either a client on the Internet or a network located behind a gateway).
See
of the spoke (either a client on the Internet or a network located behind a gateway).
See
3
Add the concentrator configuration. This step groups the tunnels together on the
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part
of the AutoIKE phase 2 configuration or the manual key configuration.
See
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part
of the AutoIKE phase 2 configuration or the manual key configuration.
See
4
Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic
through the hub and allow inbound and outbound VPN connections between the hub
and the spokes. The encrypt policy for each spoke must include the tunnel name of
the spoke. The source address must be Internal_All. Use the following configuration
for the encrypt policies:
through the hub and allow inbound and outbound VPN connections between the hub
and the spokes. The encrypt policy for each spoke must include the tunnel name of
the spoke. The source address must be Internal_All. Use the following configuration
for the encrypt policies:
Note: You must add the VPN tunnels before adding the concentrator. You must also add the
concentrator before adding the firewall policy.
concentrator before adding the firewall policy.
Note: If you use manual key tunnels, the local SPI values for each spoke must be different.