Configure communication between spokes

Spokes communicate with each other through the hub. You need to configure the hub to allow this communication. An easy way to do this is to create a zone containing the virtual IPsec interfaces even if there is only one, and create a zone-to-zone security policy.

 

To create a zone for the VPN

1. Go to Network > Interfaces.

2. Select the down-arrow on the Create New button and select Zone.

3. In the Zone Name field, enter a name, such as Our_VPN_zone.

4. Select Block intra-zone traffic.

You could enable intra-zone traffic and then you would not need to create a security policy. But, you would not be able to apply UTM features.

5. In Interface Members, select the virtual IPsec interface, toSpokes.

6. Select OK.

 

To create a security policy for the zone

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter these settings:

Incoming Interface                   Select Our_VPN_zone.

Source Address                        Select All.

Outgoing Interface                   Select Our_VPN_zone.

Destination Address                 Select All.

Action                                         Select ACCEPT.

Enable NAT                                Enable.

4. Select OK.

 

Configure the spokes

In this example, all spokes have nearly identical configuration, requiring the following:

• Phase 1 authentication parameters to initiate a connection with the hub.
• Phase 2 tunnel creation parameters to establish a VPN tunnel with the hub.
• A source address that represents the network behind the spoke. This is the only part of the configuration that is different for each spoke.
• A destination address that represents the aggregate protected network.
• A security policy to ena.ble communications between the spoke and the aggregate protected network