IPSec VPN IPSec VPN concentrators
FortiGate-800 Installation and Configuration Guide 249
Figure 60: Adding an encrypt policy
IPSec VPN concentrators
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a
hub. The peers that connect to the hub are known as spokes. The hub functions as a
concentrator on the network, managing the VPN connections between the spokes.
The advantage of a hub-and-spoke network is that the spokes are simpler to configure
because they require fewer policy rules. Also, a hub-and-spoke network provides
some processing efficiencies, particularly on the spokes. The disadvantage of a hub-
and-spoke network is its reliance on a single peer to handle management of all VPNs.
If this peer fails, encrypted communication in the network is impossible.
A hub-and-spoke VPN network requires a special configuration. Setup varies
depending on the role of the VPN peer.
If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires a
VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or
manual key settings, plus encrypt policies). It also requires a concentrator
configuration that groups the hub-and-spoke tunnels together. The concentrator
configuration defines the FortiGate unit as the hub in a hub-and-spoke network.
To Next Page
Loading...
