IPSec VPN VPN concentrator (hub) general configuration steps
FortiGate-100 Installation and Configuration Guide 199
IPSec VPN concentrators
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as
a hub. The peers that connect to the hub are known as spokes. The hub functions as
a concentrator on the network, managing the VPN connections between the spokes.
The advantage of a hub-and-spoke network is that the spokes are simpler to configure
because they require fewer policy rules. Also, a hub-and-spoke network provides
some processing efficiencies, particularly on the spokes. The disadvantage of a hub-
and-spoke network is its reliance on a single peer to handle management of all VPNs.
If this peer goes down, all encrypted communication in the network is impossible.
A hub-and-spoke VPN network requires a special configuration. Setup varies
depending on the role that the VPN peer is serving. If the VPN peer is a FortiGate unit
functioning as the hub, or concentrator, it requires a VPN configuration connecting it to
each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt
policies). It also requires a concentrator configuration that groups the hub-and-spoke
tunnels together. The concentrator configuration defines the FortiGate unit as the hub
in a hub-and-spoke network.
If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but
not to the other spokes). It also requires policies that control its encrypted connections
to the other spokes and its non-encrypted connections to other networks, such as the
Internet.
• VPN concentrator (hub) general configuration steps
• Adding a VPN concentrator
• VPN spoke general configuration steps
VPN concentrator (hub) general configuration steps
A central FortiGate that is functioning as a hub requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration)
for each spoke.
• Destination addresses for each spoke.
• A concentrator configuration.
• An encrypt policy for each spoke.
To Next Page
Loading...
Need help?
General