This article describes how to troubleshoot when Hub option is greyed out on the IPSec tunnel wizard.
Scope
FortiGate.
Solution
When creating an ADVPN IPsec tunnel from the IPsec wizard, the Hub role is greyed out:
The same device cannot be configured as a Hub and a Spoke, so when FortiGate is configured as a Spoke, the hub option is greyed out on the FortiGate wizard
To check if the device is configured as spoke, run the following command:
sh vpn ipsec phase1-int | grep -B10 auto-discovery-receiver
Example:
Tunnel-made test is configured as spoken here:
Home-FGT (root) # sh vpn ipsec phase1-int | grep -B10 auto-discovery-receiver next edit "test" set interface "wan1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set comments "VPN: test (Created by VPN wizard)" set wizard-type spoke-fortigate-auto-discovery set auto-discovery-receiver enable