Example VPN configuration 4: Basic VPN hub
In a VPN hub configuration, a gateway is configured to forward VPN traffic between different VPN tunnels.
The gateway that does this forwarding is called a hub gateway. The gateways that contact each other through a hub are called spoke gateways.
All traffic from the Spoke 1 internal network to the Spoke 2 internal network, and from the Spoke 2 internal network to the Spoke 1 internal network is sent through a VPN tunnel to the hub gateway. The hub gateway forwards the traffic through another VPN tunnel to its destination.
The hub gateway must be set up specifically as a hub. The hub configuration is reflected in the topology, the Site definitions, and the VPN Access rules. The spoke gateways do not require any hub-specific configuration. In this example configuration, VPN tunnels are established from all spoke gateways to the hub gateway. All networks of all gateways are configured as reachable through the hub. Connections are allowed only as defined in the Firewall Access rules.
This scenario explains a configuration in which all connections are defined within the same Policy-Based VPN element. A single Policy-Based VPN element is simpler to set up and maintain than forwarding traffic between VPN tunnels defined in different Policy-Based VPN elements. In this scenario, all gateways are Firewalls controlled by the same Management Server. You can add External VPN Gateways to this configuration even though their creation is not covered in detail in this workflow.
The configuration consists of the following general steps:
- Create a Policy-Based VPN element.
- Create a Site element for the hub gateway.
- Create Access rules.
Begin by creating a Policy-Based VPN element.