Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.7 Administration Guide
    7.0.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    IPsec VPN wizard hub-and-spoke ADVPN support

    IPsec VPN wizard hub-and-spoke ADVPN support

    When using the IPsec VPN wizard to create a hub and spoke VPN, multiple local interfaces can be selected. At the end of the wizard, changes can be reviewed, real-time updates can be made to the local address group and tunnel interface, and easy configuration keys can be copied for configuring the spokes.

    When editing a VPN tunnel, the Hub & Spoke Topology section provides access to the easy configuration keys for the spokes, and allows you to add more spokes.

    This example shows the configuration of a hub with two spokes.

    To configure the hub:
    1. Go to VPN > IPsec Wizard.
    2. Go through the steps of the wizard:
      1. VPN Setup:

        Name

        hub

        Template Type

        Hub-and-Spoke

        Role

        Hub

      2. Authentication:

        Incoming Interface

        port1

        Authentication method

        Pre-shared Key

        Pre-shared key

        <key>

      3. Tunnel Interface:

        Tunnel IP

        10.10.1.1

        Remote IP/netmask

        10.10.1.2/24

      4. Policy & Routing:

        Multiple local interfaces and subnets can be configured.

        Local AS

        65400

        Local interface

        port3

        port4

        Local subnets

        174.16.101.0/24

        173.1.1.0/24

        Spoke #1 tunnel IP

        10.10.1.3

        Spoke #2 tunnel IP

        10.10.1.4

      5. Review Settings:

        Confirm that the settings look correct, then click Create.

    3. The summary shows details about the set up hub:
      • The Local address group and Tunnel interface can be edited directly on this page.
      • Spoke easy configuration keys can be used to quickly configure the spokes.

    4. Click Show Tunnel List to go to VPN > IPsec Tunnels.
    5. Edit the VPN tunnel to add more spokes and to copy the spokes' easy configuration keys.

    To configure the spokes:
    1. Go to VPN > IPsec Wizard.
    2. On the VPN Setup page of the wizard, enter the following:

      Name

      spoke1

      Template Type

      Hub-and-Spoke

      Role

      Spoke

    3. In the Easy configuration key field, paste the Spoke #1 key from the hub FortiGate, click Apply, then click Next.

    4. Adjust the Authentication settings as required, enter the Pre-shared key, then click Next.
    5. Adjust the Tunnel Interface settings as required, then click Next.
    6. Configure the Policy & Routing settings, then click Next:

      Local interface

      wan2

      Local subnets

      10.1.100.0/24

    7. Review the settings, then click Create.
    8. The summary shows details about the set up spoke. The Local address group and Tunnel interface can be edited directly on this page.
    9. Follow the same steps to configure the second spoke.
    To check that the tunnels are created and working:
    1. On the hub FortiGate, go to Dashboard > Network and expand the IPsec widget.

      The tunnels to the spokes are established.

    2. On a spoke, go to Dashboard > Network and expand the IPsec widget.

      The tunnel to the hub and the spoke to spoke shortcut are established.

    Previous
    Next

    IPsec VPN wizard hub-and-spoke ADVPN support

    IPsec VPN wizard hub-and-spoke ADVPN support

    When using the IPsec VPN wizard to create a hub and spoke VPN, multiple local interfaces can be selected. At the end of the wizard, changes can be reviewed, real-time updates can be made to the local address group and tunnel interface, and easy configuration keys can be copied for configuring the spokes.

    When editing a VPN tunnel, the Hub & Spoke Topology section provides access to the easy configuration keys for the spokes, and allows you to add more spokes.

    This example shows the configuration of a hub with two spokes.

    To configure the hub:
    1. Go to VPN > IPsec Wizard.
    2. Go through the steps of the wizard:
      1. VPN Setup:

        Name

        hub

        Template Type

        Hub-and-Spoke

        Role

        Hub

      2. Authentication:

        Incoming Interface

        port1

        Authentication method

        Pre-shared Key

        Pre-shared key

        <key>

      3. Tunnel Interface:

        Tunnel IP

        10.10.1.1

        Remote IP/netmask

        10.10.1.2/24

      4. Policy & Routing:

        Multiple local interfaces and subnets can be configured.

        Local AS

        65400

        Local interface

        port3

        port4

        Local subnets

        174.16.101.0/24

        173.1.1.0/24

        Spoke #1 tunnel IP

        10.10.1.3

        Spoke #2 tunnel IP

        10.10.1.4

      5. Review Settings:

        Confirm that the settings look correct, then click Create.

    3. The summary shows details about the set up hub:
      • The Local address group and Tunnel interface can be edited directly on this page.
      • Spoke easy configuration keys can be used to quickly configure the spokes.

    4. Click Show Tunnel List to go to VPN > IPsec Tunnels.
    5. Edit the VPN tunnel to add more spokes and to copy the spokes' easy configuration keys.

    To configure the spokes:
    1. Go to VPN > IPsec Wizard.
    2. On the VPN Setup page of the wizard, enter the following:

      Name

      spoke1

      Template Type

      Hub-and-Spoke

      Role

      Spoke

    3. In the Easy configuration key field, paste the Spoke #1 key from the hub FortiGate, click Apply, then click Next.

    4. Adjust the Authentication settings as required, enter the Pre-shared key, then click Next.
    5. Adjust the Tunnel Interface settings as required, then click Next.
    6. Configure the Policy & Routing settings, then click Next:

      Local interface

      wan2

      Local subnets

      10.1.100.0/24

    7. Review the settings, then click Create.
    8. The summary shows details about the set up spoke. The Local address group and Tunnel interface can be edited directly on this page.
    9. Follow the same steps to configure the second spoke.
    To check that the tunnels are created and working:
    1. On the hub FortiGate, go to Dashboard > Network and expand the IPsec widget.

      The tunnels to the spokes are established.

    2. On a spoke, go to Dashboard > Network and expand the IPsec widget.

      The tunnel to the hub and the spoke to spoke shortcut are established.

    Previous
    Next