Define the IPsec configuration
At each spoke, create the following configuration.
To define the Phase 1 parameters
1. At the spoke, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
Enter the following information:
Name Type a name, for example, toHub.
Remote Gateway Select Static IP Address.
IP Address Enter 172.16.10.1.
Local Interface Select Port2.
Mode Main
Authentication Method Preshared Key
Pre–shared Key Enter the preshared key. The value must be identical to the preshared key that you specified previously in the FortiGate_1 configuration
Peer Options Select Any peer ID.
To define the Phase 2 parameters
1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
2. Enter the following information and select OK:
Name Enter a name for the tunnel, for example, toHub_ph2.
Phase 1 Select the name of the Phase 1 configuration that you defined previously, for example, toHub.
Advanced Select to show the following Quick Mode Selector settings.
Source Enter the address of the protected network at this spoke.
For spoke_1, this is 10.1.1.0/24. For spoke_2, this is 10.1.2.0/24.
Destination Enter the aggregate protected subnet address, 10.1.0.0/16.
Define the security policies
You need to define firewall addresses for the spokes and the aggregate protected network and then create a security policy to enable communication between them.
To define the IP address of the network behind the spoke
1. Go to Policy & Objects > Addresses.
2. Select Create New and enter the following information:
Address Name Enter an address name, for example LocalNet.
Type Subnet
Subnet/IP Range Enter the IP address of the private network behind the spoke.
For spoke_1, this is 10.1.1.0/24. For spoke_2, this is 10.1.2.0/24.
To specify the IP address of the aggregate protected network
1. Go to Policy & Objects > Addresses.
2. Select Create New and enter the following information:
Address Name Enter an address name, for example, Spoke_net.
Type Subnet
Subnet/IP Range Enter the IP address of the aggregate protected network, 10.1.0.0/16.
To define the security policy
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information:
Incoming Interface Select the virtual IPsec interface, toHub.
Source Address Select the aggregate protected network address Spoke_net.
Outgoing Interface Select the interface to the internal (private) network, port1.
Destination Address Select the address for this spoke’s protected network LocalNet.
Action Select ACCEPT.
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface Select the interface to the internal private network, port1.
Source Address Select the address for this spoke’s protected network, LocalNet.
Outgoing Interface Select the virtual IPsec interface, toHub.
Destination Address Select the aggregate protected network address, Spoke_net.
Action Select ACCEPT.
Place these policies in the policy list above any other policies having similar source and destination addresses.