Skip to main content
Bobaker
Bobaker
New Member
July 3, 2025
Solved

Ipsec tunnels config

  • July 3, 2025
  • 3 replies
  • 915 views

Hello, this might sound a little stupid but pardon me I'm a newbie.

I have 6 sites A,B,C... I created an ipsec tunnel from A to B, B is already tunneling to the other remaining sites my question is can i create a policy or routes or even configure the existing tunnels to redirect traffic or reach Vlans on the remaining sites behind B without needing to create an ipsec tunnel to each site individually from A. 

I have more upcoming Fortigates to configure and if there's a way this will make my life way easier as there's a ton of config to do other than firewall things.

  • Thanks
Best answer by funkylicious

hi,

depending on who needs to communicate with who, you have some options.

if all sites need to connect to site-A then you can configure something like this, https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-FortiGate-as-IPsec-VPN-Dial-Up/ta-p/197552 where site-A is the pseudo-hub and the rest pseudo-spokes.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-VPN-Configuration-Between-Two-FortiGates/ta-p/197667 

3 replies

funkylicious
SuperUser
funkyliciousAnswer
SuperUser
July 3, 2025

hi,

depending on who needs to communicate with who, you have some options.

if all sites need to connect to site-A then you can configure something like this, https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-FortiGate-as-IPsec-VPN-Dial-Up/ta-p/197552 where site-A is the pseudo-hub and the rest pseudo-spokes.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-VPN-Configuration-Between-Two-FortiGates/ta-p/197667 

"jack of all trades, master of none"
Bobaker
BobakerAuthor
New Member
July 3, 2025

sorry i might have not been clear in my post, site B is the data center (if you may) to sites C,D,E and F where there's a bunch of servers and other machines which these sites need (prod environment). They all have ipsec tunnels to the parent site B (way too many vlans on each site and complicated mess which is not my config) the site A is my work site where already set up a tunnel to B for diagnostics and maintenance purposes. Now note that i cannot really change the config to follow your suggestions on the go because like i said it's a prod environment, additionally those sites need nothing from A it's my site A who needs to get to communicate with all those sites.

My issue is i have 4 other networks exactly like this where there's at least one parent site and two branch sites in ipsec to the parent. 

I cannot really change the existing config on any of these networks but i can create an ipsec tunnel to each one individually but like i said way too much work and it would create a whole mess more than there is already. 

I will make a diagram to put you in better perspective tomorrow as we're in different timezones.

Thank you for your help.

toshi-esumi
toshi-esumi
New Member
July 3, 2025

Just draw a diagram to come up with a reasonable physical topology with IPsec VPNs to connect all 6 locations together. As long as a location is not isolated, there is at least one path to get from "A" to "F". It doesn't have to be meshed.
However, I recommend all locations have routes to get to all other locations, then you can limit/manipulate access like per local VLAN by policies. That's how it would work if you use routing protocols like OSPF or BGP. Static routes requires much more work to set up and maintain the network with 6 locations, unless there is only one or two HUB locations and others connect only to the HUB(s).

Toshi
 

VinayHM
Staff
VinayHM
July 4, 2025

Please check  hub and spoke topology  or FortiGates as dailup vpn if the servers are located on one site

Terms & ConditionsAccessibility statement