Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Communication between 2 branches through Head office VPN tunnel

We have one Head office and 2 Branches (example A and B) all 3 locations are having fortigate firewalls.

Both branches are connected with the head office through site to site VPN (HO is having the static public IP and the branches are having dynamic IP's)

HO network subnet

Branch A subnet, branch B subnet

both A and B branch networks are able to communicate with Head office network but not able to communicate between the branches.

How to establish the communication between Branch A  and Branch B through Head office VPN tunnel.

Esteemed Contributor II

It's called "hub and spoke" vpn setup, which you can search in KB/Forum or over the internet.

Basically you need to take care of three things:

1) pase2 selector sets on both VPNs can carry traffic between 172.20 and 172.30

2) routes exist to reach the destination at the source FGT and HO FGT over the tunnel. This applies to the returning traffic as well.

3) policy sets at all/three FGTs allow traffic between 172.20 and 172.30 between incoming and outgoing interfaces.




Hi Toshi,

    I have tried that, In Both branch fortigate firewalls VPN phase 2 selectors i added both HO and branch network under remote address (Branch A VPN - Remote addrs: HO and Branch B subnets, Branch B VPN - Remote addrs: HO and Branch A subnets), and added a static route also in both branch firewalls like destination as HO and branch subnet with interface VPN tunnel, and created the Firewall policy on all 3 firewalls.

HO firewall : From: Branch A VPN tunnel (source all) and TO: branch B VPN tunnel (destination all) vice versa

Branch A FW: From: Branch A internal interface (source all) and TO: HO and Branch B VPN tunnel  (destination all) vice versa

Branch B FW: From: Branch B internal interface (source all) and TO: HO and Branch A VPN tunnel  (destination all) vice versa

But still no luck.

i am not able to communicate from Branch A to Branch B vice versa.

Esteemed Contributor II

The explanation of policies doesn't sound right. Why does Branch-B VPN tunnel interface exist on Branch-A FW? It exists only at HO FW. Same goes with Branch-B FW's policy.


In any case, first you have to sniff traffic at the source, like Branch-A FGT when you send ping-packets out from the A FGT, to see if it actually goes in the tunnel interface.

If it does, next you need to sniff the same traffic at HO FGT to see if it comes in then sends it into Branch-B tunnel interface.

If that goes through but you don't see the ping responses coming back, you need to sniff it at B FGT to see if it comes out of the tunnel. And so on and on.

This is the way to narrow down where the breaking point is, or multiple breaking points are.


To be able to see all packets in your sniffing, you likely need to disable auto-asic-offload on the pair of policies not to let them go into NPU. It's available only in CLI "set auto-asic-offload disable".




<edit>If you ping from the FGT itself, not from a device connected to the FGT, you have to specify the source IP to have the intended source IP with "exe ping-option source" command, like on A-FGT's lan interface IP. Otherwise it would never match the phase2-selectors you specified.