Policy–based VPN security policy
Define an IPsec security policy to permit communications with the hub. See Defining VPN security policies on page 1648.
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:
Incoming Interface Select the spoke’s interface to the internal (private) network.
Source Address Select the spoke address you defined in Step 1.
Outgoing Interface Select the spoke’s interface to the external (public) network.
Destination Address Select the hub address you defined in Step 2.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration you defined.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
Configuring security policies for spoke-to-spoke communication
Each spoke requires security policies to enable communication with the other spokes. Instead of creating separate security policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The security policy then applies to all of the spokes in the group.
1. Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group.
2. Define the security policy to enable communication between this spoke and the spokes in the address group you created.
Policy–based VPN security policy
Define an IPsec security policy to permit communications with the other spokes. See Defining VPN security policies on page 1648. Enter these settings in particular:
Route–based VPN security policy
Define two security policies to permit communications to and from the other spokes.
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter these settings in particular:
Incoming Interface Select the virtual IPsec interface you created.
Source Address Select the spoke address group you defined in Step “Configure the spokes ” on page 1678.
Outgoing Interface Select the spoke’s interface to the internal (private) network.
Destination Address Select this spoke’s address name.
Action Select ACCEPT.
Enable NAT Enable
4. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
Incoming Interface Select the spoke’s interface to the internal (private) network.
Source Address Select this spoke’s address name.
Outgoing Interface Select the virtual IPsec interface you created.
Destination Address Select the spoke address group you defined in Step 1.
Action Select ACCEPT.
Enable NAT Enable
Policy–based VPN security policy
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter the following:
Incoming Interface Select this spoke’s internal (private) network interface.
Source Address Select this spoke’s source address.
Outgoing Interface Select the spoke’s interface to the external (public) network.
Destination Address Select the spoke address group you defined in Step 1.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration you defined.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
Place this policy or policies in the policy list above any other policies having similar source and destination addresses.
Dynamic spokes configuration example
This example demonstrates how to set up a basic route-based hub-and-spoke IPsec VPN that uses preshared keys to authenticate VPN peers.