Fortinet fortigate-50r Installationsanweisungen
IPSec VPN
IPSec VPN concentrators
FortiGate-50R Installation and Configuration Guide
171
IPSec VPN concentrators
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as
a hub. The peers that connect to the hub are known as spokes. The hub functions as
a concentrator on the network, managing the VPN connections between the spokes.
a hub. The peers that connect to the hub are known as spokes. The hub functions as
a concentrator on the network, managing the VPN connections between the spokes.
The advantage of a hub-and-spoke network is that the spokes are simpler to configure
because they require fewer policy rules. Also, a hub-and-spoke network provides
some processing efficiencies, particularly on the spokes. The disadvantage of a hub-
and-spoke network is its reliance on a single peer to handle management of all VPNs.
If this peer goes down, all encrypted communication in the network is impossible.
because they require fewer policy rules. Also, a hub-and-spoke network provides
some processing efficiencies, particularly on the spokes. The disadvantage of a hub-
and-spoke network is its reliance on a single peer to handle management of all VPNs.
If this peer goes down, all encrypted communication in the network is impossible.
A hub-and-spoke VPN network requires a special configuration. Setup varies
depending on the role that the VPN peer is serving. If the VPN peer is a FortiGate unit
functioning as the hub, or concentrator, it requires a VPN configuration connecting it to
each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt
policies). It also requires a concentrator configuration that groups the hub-and-spoke
tunnels together. The concentrator configuration defines the FortiGate unit as the hub
in a hub-and-spoke network.
depending on the role that the VPN peer is serving. If the VPN peer is a FortiGate unit
functioning as the hub, or concentrator, it requires a VPN configuration connecting it to
each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt
policies). It also requires a concentrator configuration that groups the hub-and-spoke
tunnels together. The concentrator configuration defines the FortiGate unit as the hub
in a hub-and-spoke network.
If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but
not to the other spokes). It also requires policies that control its encrypted connections
to the other spokes and its non-encrypted connections to other networks, such as the
Internet.
not to the other spokes). It also requires policies that control its encrypted connections
to the other spokes and its non-encrypted connections to other networks, such as the
Internet.
•
•
•
VPN concentrator (hub) general configuration steps
A central FortiGate that is functioning as a hub requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration)
for each spoke.
• Destination addresses for each spoke.
• A concentrator configuration.
• An encrypt policy for each spoke.
• A concentrator configuration.
• An encrypt policy for each spoke.