Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎10-11-2022 12:57 PM Edited on ‎09-08-2025 01:20 AM By Community Manager

Article Id 226388

Technical Tip: Implement Hub and Spoke ADVPN – using IPsec wizard

Description This article describes how to implement Hub and Spoke ADVPN – using IPSec wizard.
Scope

FortiGate v. 7.2.1

Scenario:

  1. HUB and Spoke IPSec topology.
  2. Spoke client must be able to communicate with another spoke client directly when an on-demand tunnel is created (ADVPN feature).
  3. BGP is the overlay routing protocol.
Solution

Diagram:

iskandar_lie_0-1665512880153.png

 

Note:

 

FortiGate Hub and Spoke IPSec Wizard is using BGP as overlay protocol and ADVPN feature:

  1. Routing protocol - BGP .
  2. Firewall Policy.
  3. IPSec interface address.
  4. Address object.

 

Let's start witthe h HUB node:

 

iskandar_lie_1-1665512951338.png

 

The incoming interface is the outgoing physical interface for the IPSec interface.

 

iskandar_lie_2-1665512975627.png

 

Tunnel IP is our IPSec interface address ( 10.10.10.1 )

Remote IP/Netmask – is a dummy ip address within the same subnet (10.10.10.254/24)

 

iskandar_lie_3-1665512999099.png

 

Local AS – can be anything, refer to BGP routing protocol (in this case use private AS 65000 and IBGP configuration).

Local Interface – is an interface where local subnet is connected.

Local subnet is meant to be able to communicate via BGP protocol.

Spoke type can be 'range' or 'individual'

For range – refer to https://docs.fortinet.com/document/fortigate/6.0.0/handbook/190962/bgp.

In this case individual is used, where spokeA – 10.10.10.2 and spokeB – 10.10.10.3 are defined.

 

iskandar_lie_4-1665513043795.png

 

This is the last step of creating HUB IPsec. Copy configuration key available for Spoke #1 – SpokeA and Spoke #2 – SpokeB 

 

iskandar_lie_5-1665513089710.png

 

Copy configuration key on notepad.

 

iskandar_lie_6-1665513128712.png

 

Let's start creating the IPSec on SpokeA. Paste the configuration key that was copied in last step of HUB config, on 'easy configuration key' and select apply. 

 

iskandar_lie_8-1665513215236.png

 

Remote IP Address -- IP address of HUB (192.168.12.2) 

Outgoing interface -- is underlay physical interface for this IPSec (port6)

Pre-shared key -- fill out with the same Pre-shared key as HUB.

 

iskandar_lie_10-1665513411323.png

 

Tunnel IP is IPSec interface address ( 10.10.10.2 )

Remote IP/Netmask – is HUB tunnel ip address. ( 10.10.10.1 )

 

iskandar_lie_11-1665513433187.png

 

Local Interface – is an interface where local subnet is connected. This local subnet is meant to be able to communicate via BGP protocol.

Local subnet is meant to be able to communicate via BGP protocol.

 

iskandar_lie_12-1665513451462.png

 

Last step of SpokeA configuration.

 

iskandar_lie_13-1665513471256.png

 

Since the configuration step on SpokeB will be similar to SpokeA – follow the same step as SpokeA.

On on-demand tunnel is created whenever the traffic is initiated – when there is no traffic for some period of time, this on demand tunnel will be torn down.

 

iskandar_lie_14-1665513549806.png

 

Conclusion:

  1. This wizard is suitable for new implementation with 2 spokes and 1 hub.
  2. This wizard is also suitable for a beginner; it will do everything required to create a Hub and Spoke ADVPN, together with the BGP routing protocol and firewall policy.  

 

Note:

The attached files are the config created by this IPSec wizard, and 'routing and IPSec information'.

 

Related article:

Technical Tip: ADVPN Spoke to Spoke traffic when HUB is down
Preview file
10 KB
Preview file
5 KB
6376
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.