Fortinet fortigate-200a Betriebsanweisung

In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as 
a hub. The peers that connect to the hub are known as spokes. The hub functions as 
a concentrator on the network, managing the VPN connections between the spokes. 

To configure a hub-and-spoke VPN, you must configure both the hub and spokes.

Use the following steps to configure the central FortiGate unit that functions as the 
hub:

• add the VPN tunnels.
• add a VPN concentrator. 
• add a firewall policy. 

Configure a tunnel for each spoke. Choose between a manual key tunnel or an 
AutoIKE tunnel. 

Add a destination addresses for each spoke. The destination address is the address 
of the spoke (either a client on the Internet or a network located behind a gateway).
See 

Add the concentrator configuration. This step groups the tunnels together on the 
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part 
of the AutoIKE phase 2 configuration or the manual key configuration.
See 

Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic 
through the hub and allow inbound and outbound VPN connections between the hub 
and the spokes. The encrypt policy for each spoke must include the tunnel name of 
the spoke. The source address must be Internal_All. Use the following configuration 
for the encrypt policies:

Note: You must add the VPN tunnels before adding the concentrator. You must also add the 
concentrator before adding the firewall policy. 

Note: If you use manual key tunnels, the local SPI values for each spoke must be different.