Fortinet black logo

Administration Guide

IPsec VPN wizard hub-and-spoke ADVPN support

IPsec VPN wizard hub-and-spoke ADVPN support

When using the IPsec VPN wizard to create a hub and spoke VPN, multiple local interfaces can be selected. At the end of the wizard, changes can be reviewed, real-time updates can be made to the local address group and tunnel interface, and easy configuration keys can be copied for configuring the spokes.

When editing a VPN tunnel, the Hub & Spoke Topology section provides access to the easy configuration keys for the spokes, and allows you to add more spokes.

This example shows the configuration of a hub with two spokes.

To configure the hub:
  1. Go to VPN > IPsec Wizard.
  2. Go through the steps of the wizard:
    1. VPN Setup:

      Name

      hub

      Template Type

      Hub-and-Spoke

      Role

      Hub

    2. Authentication:

      Incoming Interface

      port1

      Authentication method

      Pre-shared Key

      Pre-shared key

      <key>

    3. Tunnel Interface:

      Tunnel IP

      10.10.1.1

      Remote IP/netmask

      10.10.1.2/24

    4. Policy & Routing:

      Multiple local interfaces and subnets can be configured.

      Local AS

      65400

      Local interface

      port3

      port4

      Local subnets

      174.16.101.0/24

      173.1.1.0/24

      Spoke #1 tunnel IP

      10.10.1.3

      Spoke #2 tunnel IP

      10.10.1.4

    5. Review Settings:

      Confirm that the settings look correct, then click Create.

  3. The summary shows details about the set up hub:
    • The Local address group and Tunnel interface can be edited directly on this page.
    • Spoke easy configuration keys can be used to quickly configure the spokes.

  4. Click Show Tunnel List to go to VPN > IPsec Tunnels.
  5. Edit the VPN tunnel to add more spokes and to copy the spokes' easy configuration keys.

To configure the spokes:
  1. Go to VPN > IPsec Wizard.
  2. On the VPN Setup page of the wizard, enter the following:

    Name

    spoke1

    Template Type

    Hub-and-Spoke

    Role

    Spoke

  3. In the Easy configuration key field, paste the Spoke #1 key from the hub FortiGate, click Apply, then click Next.

  4. Adjust the Authentication settings as required, enter the Pre-shared key, then click Next.
  5. Adjust the Tunnel Interface settings as required, then click Next.
  6. Configure the Policy & Routing settings, then click Next:

    Local interface

    wan2

    Local subnets

    10.1.100.0/24

  7. Review the settings, then click Create.
  8. The summary shows details about the set up spoke. The Local address group and Tunnel interface can be edited directly on this page.
  9. Follow the same steps to configure the second spoke.
To check that the tunnels are created and working:
  1. On the hub FortiGate, go to Dashboard > Network and expand the IPsec widget.

    The tunnels to the spokes are established.

  2. On a spoke, go to Dashboard > Network and expand the IPsec widget.

    The tunnel to the hub and the spoke to spoke shortcut are established.

IPsec VPN wizard hub-and-spoke ADVPN support

When using the IPsec VPN wizard to create a hub and spoke VPN, multiple local interfaces can be selected. At the end of the wizard, changes can be reviewed, real-time updates can be made to the local address group and tunnel interface, and easy configuration keys can be copied for configuring the spokes.

When editing a VPN tunnel, the Hub & Spoke Topology section provides access to the easy configuration keys for the spokes, and allows you to add more spokes.

This example shows the configuration of a hub with two spokes.

To configure the hub:
  1. Go to VPN > IPsec Wizard.
  2. Go through the steps of the wizard:
    1. VPN Setup:

      Name

      hub

      Template Type

      Hub-and-Spoke

      Role

      Hub

    2. Authentication:

      Incoming Interface

      port1

      Authentication method

      Pre-shared Key

      Pre-shared key

      <key>

    3. Tunnel Interface:

      Tunnel IP

      10.10.1.1

      Remote IP/netmask

      10.10.1.2/24

    4. Policy & Routing:

      Multiple local interfaces and subnets can be configured.

      Local AS

      65400

      Local interface

      port3

      port4

      Local subnets

      174.16.101.0/24

      173.1.1.0/24

      Spoke #1 tunnel IP

      10.10.1.3

      Spoke #2 tunnel IP

      10.10.1.4

    5. Review Settings:

      Confirm that the settings look correct, then click Create.

  3. The summary shows details about the set up hub:
    • The Local address group and Tunnel interface can be edited directly on this page.
    • Spoke easy configuration keys can be used to quickly configure the spokes.

  4. Click Show Tunnel List to go to VPN > IPsec Tunnels.
  5. Edit the VPN tunnel to add more spokes and to copy the spokes' easy configuration keys.

To configure the spokes:
  1. Go to VPN > IPsec Wizard.
  2. On the VPN Setup page of the wizard, enter the following:

    Name

    spoke1

    Template Type

    Hub-and-Spoke

    Role

    Spoke

  3. In the Easy configuration key field, paste the Spoke #1 key from the hub FortiGate, click Apply, then click Next.

  4. Adjust the Authentication settings as required, enter the Pre-shared key, then click Next.
  5. Adjust the Tunnel Interface settings as required, then click Next.
  6. Configure the Policy & Routing settings, then click Next:

    Local interface

    wan2

    Local subnets

    10.1.100.0/24

  7. Review the settings, then click Create.
  8. The summary shows details about the set up spoke. The Local address group and Tunnel interface can be edited directly on this page.
  9. Follow the same steps to configure the second spoke.
To check that the tunnels are created and working:
  1. On the hub FortiGate, go to Dashboard > Network and expand the IPsec widget.

    The tunnels to the spokes are established.

  2. On a spoke, go to Dashboard > Network and expand the IPsec widget.

    The tunnel to the hub and the spoke to spoke shortcut are established.