Configuration 4: Basic VPN hub

In a VPN hub configuration, a gateway is configured to forward VPN traffic between different VPN tunnels.

The gateway that does this forwarding is called a hub gateway. The gateways that contact each other through a hub are called spoke gateways.

The hub gateway must be set up specifically as a hub. The hub configuration is reflected in the topology, the Site definitions, and the VPN rules. The spoke gateways do not require any hub-specific configuration. In this example configuration, VPN tunnels are established from all spoke gateways to the hub gateway. All networks of all gateways are configured as reachable through the hub. Connections are allowed only as defined in the Firewall Access rules.

Note: There must not be duplicate endpoint-to-endpoint tunnels in different VPNs. If there are existing tunnels between the hub gateway and the other gateways in other active VPNs, you must remove the overlapping configurations.

This basic configuration scenario explains a configuration in which all connections are defined within the same Policy-Based VPN element. A single Policy-Based VPN element is simpler to set up and maintain than forwarding traffic between VPN tunnels defined in different Policy-Based VPN elements. In this scenario, all gateways are Firewalls controlled by the same Management Server. You can add External VPN Gateways to this configuration even though their creation is not covered in detail in this workflow.