Redundant hub and spoke VPN

A redundant hub and spoke configuration allows VPN connections to radiate from a central FortiGate unit (the hub) to multiple remote peers (the spokes). Traffic can pass between private networks behind the hub and private networks behind the remote peers. Traffic can also pass between remote peer private networks through the hub.

This is a sample configuration of hub and spoke IPsec VPN. The following applies for this scenario:

  • The spokes have two WAN interfaces and two IPsec VPN tunnels for redundancy.
  • The secondary VPN tunnel is up only when the primary tunnel is down by dead peer detection.

Because the GUI can only complete part of the configuration, we recommend using the CLI.

To configure redundant hub and spoke VPN using the FortiOS CLI:
  1. Configure the hub.
    1. Configure the WAN, internal interface, and static route.

      config system interface

      edit "port13"

      set alias "WAN"

      set ip 172.16.202.1 255.255.255.0

      next

      edit "port9"

      set alias "Internal"

      set ip 172.16.101.1 255.255.255.0

      next

      end

      config router static

      edit 1

      set gateway 172.16.202.2

      set device "port13"

      next

      end

    2. Configure the IPsec phase1-interface and phase2-interface.

      config vpn ipsec phase1-interface

      edit "hub"

      set type dynamic

      set interface "port13"

      set peertype any

      set net-device enable

      set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

      set dpd on-idle

      set psksecret sample

      set dpd-retryinterval 60

      next

      end

      config vpn ipsec phase2-interface

      edit "hub"

      set phase1name "hub"

      set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

      next

      end

    3. Configure the firewall policy.

      config firewall policy

      edit 1

      set name "spoke-hub"

      set srcintf "hub"

      set dstintf "port9"

      set srcaddr "all"

      set dstaddr "172.16.101.0"

      set action accept

      set schedule "always"

      set service "ALL"

      next

      edit 2

      set name "spoke-spoke"

      set srcintf "hub"

      set dstintf "hub"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL"

      next

      end

  2. Configure the spokes.
    1. Configure the WAN, internal interface, and static route.
      1. Configure Spoke1.

        config system interface

        edit "port1"

        set ip 172.16.200.1 255.255.255.0

        next

        edit "wan1"

        set mode dhcp

        set distance 10

        set priority 100

        next

        edit "dmz"

        set ip 10.1.100.1 255.255.255.0

        next

        end

        config router static

        edit 1

        set gateway 172.16.200.2

        set device "port1"

        next

        end

      2. Configure Spoke2.

        config system interface

        edit "wan1"

        set ip 172.16.200.3 255.255.255.0

        next

        edit "wan