The configuration described here must be set up on Data Center 1 FortiGate and Data Center 2 FortiGate. The following steps show how to configure Data Center 1 FortiGate (as shown in the diagram). You can repeat this configuration for Data Center 2 FortiGate, substituting the proper IP addresses and interface names.
This configuration has the following objectives:
- Zero touch IPsec VPN provisioning of new branches
- Point-to-multipoint IPsec VPN
- Central management of data center access from each data center firewall
- Dynamic peering to share routing information between each branch and the data center
Each data center configuration includes dynamic (or dial-up) IPsec VPN, BGP, firewall policies to control access, and a blackhole route for each branch office.