Fortinet FortiGate-800 manual VPN spoke general configuration steps, 252

VPN spoke general configuration steps

A remote VPN peer that functions as a spoke requires the following configuration:

•A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub.

•The source address of the local VPN spoke.

•The destination address of each remote VPN spoke.

•A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.

•A single inbound encrypt policy. This policy allows the local VPN spoke to accept encrypted connections.

To create a VPN spoke configuration

1Configure a tunnel between the spoke and the hub. Choose between a manual key tunnel or an AutoIKE tunnel.

•To add a manual key tunnel, see “Manual key IPSec VPNs” on page 233.

•To add an AutoIKE tunnel, see “AutoIKE IPSec VPNs” on page 235.

2Add the source address. One source address is required for the local VPN spoke. See “Adding a source address” on page 246.

3Add a destination address for each remote VPN spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).

See “Adding a destination address” on page 247

4Add a separate outbound encrypt policy for each remote VPN spoke. These policies control the encrypted connections initiated by the local VPN spoke.

The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

See “Adding an encrypt policy” on page 247.

5Add an inbound encrypt policy. This policy controls the encrypted connections initiated by the remote VPN spokes.

The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration: