Skip to main content
asgspl
asgspl
New Member
February 21, 2017
Question

Site-to-Site IPSEC extended star topology.

  • February 21, 2017
  • 1 reply
  • 4252 views

Hi guys,

 

I've got an existing, working fine, extended star VPN topology. All Site-to-Site, all static IP's and quite a few subnets behind each Fortigate box and all static routing.

I have 2 questions:

[ol]
  • Once the VPN interface is created , which can be seen listed under WAN interface I can edit each and I'm trying to understand how to use the addressing mode: local ip and remote ip, which I presume are the VPN interfaces IP's.
  • Second question is related to first one, I'm trying to prepare my network for OSPF routing since I have to add quite a lots of static routes(4-6 subnets/location) and I think that I need those VPN interfaces having an IP address when I do the OSPF config. Am I right ?[/ol]

     

    Cheers,

    Tony

     

      • 1 reply

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      February 21, 2017

      Yes, that would be the normal way of setting up any routing protocol over VPN.

      asgspl
      asgsplAuthor
      New Member
      February 21, 2017
      Thank you for your reply. Still have a question, though. How do I choose the ip's to configure as the ipsec tunnel interface ? I presume the same pair will be configured on the other side of the tunnel but reversed. Does the ipsec interface ips(local and remote) be in any relationship with my routed subnets ? Once I add the Ip's on the interface do I need extra policies to allow traffic or just routing ? I know, a lots of questions. :) Cheers, Tony
      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      February 21, 2017

      As long as it doesn't conflict with any other interfaces and routes, it can be anything. We regularly use an unique /32. And both local and remote /32s show up in the routing table as "connected".

      Terms & ConditionsAccessibility statement