Case no.2: all traffic via IPSec tunnels

Configuring the central Hub site

Defining IPSec peers

Following the method described in the paragraph Configuring the Hub site / Defining IPSec peers in Case no. 1, create both peers Site_Spoke_A and Site_Spoke_B.

To define Site_Spoke_A, use the following values:

  • remote gateway: IPS-Firewall of the Spoke A site (object Pub_FW_Spoke_A),
  • Certificate: the certificate of the Hub IPS-Firewall.

To define Site_Spoke_B:

  • remote gateway: IPS-Firewall of the Spoke B site (object Pub_FW_Spoke_B),
  • Certificate: the certificate of the Hub IPS-Firewall.

Creating tunnels

Follow the method described in the paragraph Configuring the Hub site / Creating tunnels in Case no. 1 to define the following VPN tunnels:

Filter rules

Define the filter rules needed for exchanges between Spoke sites, Spoke sites and the Hub as well as local traffic to the Internet:

NAT rule

To allow all hosts on private networks to access the internet, create the following NAT rule:

 

Sources have been indicated individually in this rule, but obviously groups will need to be used once the number of satellite sites increases.

Configuring the satellite sites Spoke A and Spoke B

Defining the IPSec peer

Spoke A site

Following the method described in the paragraph Configuring the Hub site / Defining IPSec peers in Case no. 1, create the peer Site_FW_Hub using the following values:

  • remote gateway: IPS-Firewall of the Hub (object Pub_FW_Hub),
  • certificate: the certificate of the Spoke A IPS-Firewall.

Spoke B site

Following the method described in the paragraph Configuring the Hub site / Defining IPSec peers in Case no. 1, create the peer Site_FW_Hub using the following values:

  • remote gateway: IPS-Firewall of the Hub (object Pub_FW_Hub),
  • certificate: the certificate of the Spoke B IPS-Firewall.

Creating tunnels

Spoke A site

Follow the method described in the paragraph Configuring the Hub site / Creating tunnels in Case no. 1 to define the following VPN tunnel:

Spoke B site

Follow the method described in the paragraph Configuring the Hub site / Creating tunnels in Case no. 1 to define the following VPN tunnel:

Filter rules

In this tutorial, traffic between private networks is voluntarily not specified (destination port: ANY). To optimize performance (save bandwidth and machine resources), it is important to refine the filter on satellite sites (authorized protocols, ports, etc) in order to prevent unnecessary packets from going through the tunnels. This filter policy will also be on the Hub site.

Spoke A site

Define the filter rules needed for exchanges between Spoke A and Spoke B, Spoke A and the Hub as well as local traffic to the Internet (centralized on the Hub):

 

Spoke B site

Define the filter rules needed for exchanges between Spoke B and Spoke A, Spoke B and the Hub as well as local traffic to the Internet (centralized on the Hub):