Spoke to spoke communication

If you use route based IPsec VPN then you have created one virtual interface per phase1 definition. These interfaces work like any other interface or port. Especially, traffic between interfaces can only flow if there is a policy for this interface pair allowing the traffic. So, connect two spoke VPN interfaces with a new policy and allow specific services.

Usually you create one phase1 and one phase2 for each VPN. The phase1 carries the remote gateway IP address which often differs between VPNs. Only if you have multiple subnets behind the remote gateway you would create multiple phase2 definitions under one phase1, one for each subnet. Anyway, even then you get only one virtual interface per VPN. If you see the VPN interface like any other port (= physical interface) you know what to do: - allow traffic between two interfaces by creating a policy with action ACCEPT - allow routing to a remote subnet behind an interface by creating a static route That' s all if you have few VPNs (like, 2 or 3). With <n> spokes you have to create <n> (or more) static routes and <n*n-n> policies. For <n> greater than 3 this becomes tedious. You create a zone in this case (System>Network>Zone) with all spoke interfaces as members, and allow ' intra-zone traffic' . The zone will represent all VPN interfaces in the policy: create policy source interface: internal dest interface: myzone service: schedule: action: ACCEPT So to allow traffic to ALL remote subnets and between ALL spoke subnets you only need one single policy. Have a look for yourself, and get the ' FortiOS Handbook' for your version of FortiOS. A lot of examples, diagrams and good step-by-step explanations.

Spoke to spoke issues solved Thanks