Using aggregated subnets
If you are creating a new network, where subnet IP addresses are not already assigned, you can simplify the VPN configuration by assigning spoke subnets that are part of a large subnet.
Aggregated subnets
All spokes use the large subnet address, 10.1.0.0/16 for example, as:
- The IPsec destination selector
- The destination of the security policy from the private subnet to the VPN (required for policy-based VPN, optional for route-based VPN)
- The destination of the static route to the VPN (route-based)
Each spoke uses the address of its own protected subnet as the IPsec source selector and as the source address in its VPN security policy. The remote gateway is the public IP address of the hub FortiGate unit.
Using an address group
If you want to create a hub-and-spoke VPN between existing private networks, the subnet addressing usually does not fit the aggregated subnet model discussed earlier. All of the spokes and the hub will need to include the addresses of all the protected networks in their configuration.
On FortiGate units, you can define a named firewall address for each of the remote protected networks and add these addresses to a firewall address group. For a policy-based VPN, you can then use this address group as the destination of the VPN security policy.
For a route-based VPN, the destination of the VPN security policy can be set to All. You need to specify appropriate routes for each of the remote subnets.
Authentication
Authentication is by a common pre-shared key or by certificates. For simplicity, the examples in this chapter assume that all spokes use the same pre-shared key.
Configure the hub
At the FortiGate unit that acts as the hub, you need to:
- Configure the VPN to each spoke
- Configure communication between spokes
You configure communication between spokes differently for a policy-based VPN than for a route-based VPN. For a policy-based VPN, you configure a VPN concentrator. For a route-based VPN, you must either define security policies or group the IPsec interfaces into a zone
Define the hub-spoke VPNs
Perform these steps at the FortiGate unit that will act as the hub. Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.
To configure the VPN hub
1. At the hub, define the Phase 1 configuration for each spoke. See Phase 1 parameters on page 1624. Enter these settings in particular:
Name Enter a name to identify the VPN in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway The remote gateway is the other end of the VPN tunnel. There are three options:
Static IP Address — Enter the spoke’s public IP Address. You will need to create a Phase 1 configuration for each spoke. Either the hub or the spoke can establish the VPN connection.
Dialup User — No additional information is needed. The hub accepts con- nections from peers with appropriate encryption and authentication set- tings. Only one Phase 1 configuration is needed for multiple dialup spokes. Only the spoke can establish the VPN tunnel.
Dynamic DNS — If the spoke subscribes to a dynamic DNS service, enter the spoke’s Dynamic DNS domain name. Either the hub or the spoke can establish the VPN connection. For more information, see Dynamic DNS configuration on page 1688.
Local Interface Select the FortiGate interface that connects to the remote gateway. This is usually the FortiGate unit’s public interface.
2. Define the Phase 2 parameters needed to create a VPN tunnel with each spoke. See Phase 2 parameters on page 1642. Enter these settings in particular:
Name Enter a name to identify this spoke Phase 2 configuration.
Phase 1 Select the name of the Phase 1 configuration that you defined for this spoke.
IPsec VPN in ADVPN hub-and-spoke
IPsec VPN traffic is allowed through a tunnel between an ADVPN hub-and-spoke.
CLI Syntax:
config vpn ipsec phase1-interface edit “int-fgtb”
…
set auto-discovery-sender [enable | disable] set auto-discovery-receiver [enable | disable] set auto-discovery-forwarder [enable | disable]
… next
end
config vpn ipsec phase2-interface edit “int-fgtb”
…
set auto-discovery-sender phase1 [enable | disable]
… next
end