Skip to main content
AndreasMaier
AndreasMaier
New Member
December 5, 2017
Question

Hub and Spoke - I don´t get it

  • December 5, 2017
  • 1 reply
  • 6310 views

Hi everybody,

 

I have big problems in understanding hub and spoke VPN.

The Hub i a FGT 60C with OS 5.2 Patch 11

The Spokes are two third-party Routers (AVM Fritzbox 4020, german manufacturer) as dialup-IPSEC-connections

 

What i have is:

two route-based IPSEC-Tunnels from the Fortigate to those two routers.

I can ping from the Network behind the hub to the Network behind each spoke and from each Network behind the spoke the the Network behind the hub

 

so far, so good but i am unable to get a ping from spoke to spoke. What I tried:

 

- create a Zone containing both spoke ipsec Interfaces and disable "block intra-Zone-traffic"

- create a Zone containing both spoke ipsec Interface, leave "block intra-Zone-traffic" and create a policy from Zone to Zone  always all accept, NAT enabled

- create each pair of security policies spoke1 to spoke2 spokelan1 to spokelan2 akways all accept, NAT enbaled

 

whatever I´m trying, i can´t get this working

 

When i trace data package from spoke1 lan Client to spoke2 it Ends at the spoke1 router, so i assume the packet is being transfered into the tunnel

 

Any good advice?

 

Regards

 

Andreas Maier

    1 reply

    MasterBratac
    MasterBratac
    New Member
    December 5, 2017

    Hi,

     

    I'm also from germany, and I know FritzBoxes ...

    Did you set up the route to the other spokes lan to point at the ipsec tunnel in each spoke?

    See: https://avm.de/service/fr...r-FRITZ-Box-zugreifen/

    emnoc
    emnoc
    New Member
    December 5, 2017

    I would do the following, 

     

    1> cli diag debug flow

     

     

    2 >monitor the route table for the  SRC/DST ( the diag debug flow will show what matched or dropped )

     

    3> check fwpolicy( the diag debug flow would show what's match if any )

     

    4>check the phase2 SA for the spoke1 to hub and spoke2 for the interesting traffic between the SRC/DST

     

    AndreasMaier
    AndreasMaierAuthor
    New Member
    December 6, 2017

    Hi together,

     

    yes, i configured the Fritzboxes following that article you mentioned.

     

    Diag debug flow shows me this:

     

    FGT60C-# id=20085 trace_id=5 func=print_pkt_detail line=4479 msg="vd-root received a packet(proto=1, 192.168.124.101:1->192.168.121.11:8) from FritzBox4_0 . code=8, type=0, id=1, seq=13." id=20085 trace_id=5 func=resolve_ip_tuple_fast line=4542 msg="Find an existing s ession, id-0002bf59, original direction" id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec inte rface-FritzBox1_0" id=20085 trace_id=5 func=ipsec_common_output4 line=625 msg="No matching IPsec se lector, drop" id=20085 trace_id=6 func=print_pkt_detail line=4479 msg="vd-root received a pack et(proto=1, 192.168.124.101:1->192.168.121.11:8) from FritzBox4_0. code=8, type= 0, id=1, seq=14." id=20085 trace_id=6 func=resolve_ip_tuple_fast line=4542 msg="Find an existing s ession, id-0002bf59, original direction" id=20085 trace_id=6 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec inte rface-FritzBox1_0" id=20085 trace_id=6 func=ipsec_common_output4 line=625 msg="No matching IPsec se lector, drop"

     

    As far as i can see my traffic wants to be routet to the right interface (192.168.121.0 is behind FritzBox1 and 192.168.124.0 is behind Fritzbox4) but then dropped because of "No matching IPsec se lector" but why?

    Terms & ConditionsAccessibility statement