Skip to main content
JaniH
JaniH
New Member
April 17, 2018
Question

Policy based VPN's and IPSec Concentrator

  • April 17, 2018
  • 1 reply
  • 6869 views

Hi,

 

We've four different sites that needs to have network traffic to go from site to other and if I've understanded correctly IPSec concentrator is the thing I need. Sites connect to HQ main FW with policy based IPSec tunnels and I have added the site within same concentrator, but the traffic is going from site to another.

 

What I'm missing here? Do I need configure ADVPN or some other stuff to policies, phase 1 or phase 2 configurations? Or is my approach all wrong? Traffic doesn't need to go straight from site to site, but it can goes through HQ's main firewall.

 

KR,

Jani

    1 reply

    romanr
    romanr
    New Member
    April 17, 2018

    Hi,

     

    policy based VPNs and VPN concentrator are quite a bit outdated.

    ADVPN is great, but I guess in your environment might be a real overkill.

     

    For an easy setup in my opinion you should:

    - Create interface based vpn tunnels

    - Put all VPN tunnels on the headquarter side into a zone (allow intrazone traffic!) (Actually one shoudl always use zones ;) )

    - Setup routing accordingly

    -> So all Subsidiaries need to have all the other Subnets pointing to Headquarter.

     

    That's it.

     

    Br,

    Roman

     

     

    JaniH
    JaniHAuthor
    New Member
    April 17, 2018

    Hi Roman.

     

    I think that too but the documentation regarding the concentrator aren't that clear what it does requires to work.

     

    This is one possibility but I'm not sure is it right way to go with this setup as it is up and running and the whole setup contains 40 different sites so in future it's possibility that all of these sites need to site to site traffic. Also most of the sites have mobile routers and dynamic external IP's (sites are really small but VPN Client connection isn't possibility).

     

    This configuration is needed as the phone system requires internal calls to go p2p from client to client.

     

    Br,

    Jani

    romanr
    romanr
    New Member
    April 18, 2018

    Hi,

     

    policy based VPNs are from earlier Fortinet days. They are not used anymore for new deployments. So I think all documentation you found about it will target FortiOS version before 5 (or mainly before 4).

     

    ADVPN requires dynamic routing via iBPG and a more complex setup - a lot of work via the command line. And also troubleshooting won't be more complex. So you should really know what you do, when you go that way.

     

    Br,Roman

    Terms & ConditionsAccessibility statement