Gateway-to-gateway configurations

Policybased VPN security policy

Define an IPsec security policy to permit communications between the hub and the spoke.

 

To add policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter these settings in particular:

Incoming Interface                   Select the hub’s interface to the internal (private) network.

Source Address                        Select the source address that you defined in Step 1.

Outgoing Interface                   Select the hub’s public network interface.

Destination Address                 Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.

VPN Tunnel                                Select Use Existing and select the name of the Phase 1 configuration that you created for the spoke in Step 1.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

In the policy list, arrange the policies in the following order:

  • IPsec policies that control traffic between the hub and the spokes first
  • The default security policy last

Configuring communication between spokes (policy-based VPN)

For a policy-based hub-and-spoke VPN, you define a concentrator to enable communication between the spokes.

 

To define the VPN concentrator

1. At the hub, go to VPN > IPsec Concentrator and select Create New.

2. In the Concentrator Name field, type a name to identify the concentrator.

3. From the Available Tunnels list, select a VPN tunnel and then select the right-pointing arrow.

4. Repeat Step 3 until all of the tunnels associated with the spokes are included in the concentrator.

5. Select OK.

 

 

Configuring communication between spokes (route-based VPN)

For a route-based hub-and-spoke VPN, there are several ways you can enable communication between the spokes:

  • Put all of the IPsec interfaces into a zone and enable intra-zone traffic. This eliminates the need for any security policy for the VPN, but you cannot apply UTM features to scan the traffic for security threats.
  • Put all of the IPsec interfaces into a zone and create a single zone-to-zone security policy
  • Create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.

 

Using a zone as a concentrator

A simple way to provide communication among all of the spokes is to create a zone and allow intra-zone communication. You cannot apply UTM features using this method.

1. Go to Network > Interfaces.

2. Select the down-arrow on the Create New button and select Zone.

3. In the Zone Name field, enter a name, such as Our_VPN_zone.

4. Clear Block intra-zone traffic.

5. In the Interface Members list, select the IPsec interfaces that are part of your VPN.

6. Select OK.

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.