Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How to allow access between remote IPSec endpoints?



I have a FortiGate at the main office, subnet

There are several hardware-based IPSec VPNs for remote locations:

Remote office 2, subnet

Remote office 3, subnet

Remote office 4, subnet

and so on.

The main office can reach each of the remote offices.

How can I allow each of the remote offices to reach each other?


Thank you,



New Contributor

two options:

option one: you configure in any office ipsec connections to any office

option two: add all subnets in  ipsec phase 2 options of ipsec configuration for any tunnel, create routing entries in remote offices for destionation subnets (other rekote offices) over ipsec inteface and corresponding firewall rules on all fortigates.



Thanks. Does anyone know of a guide for accomplishing this?

Esteemed Contributor III

The hub-and-spokes model is way less effort, in comparison to fully meshed (any to any). The hub would be the company FGT, the spokes the remote offices.

Some tips:

- use wildcard selectors in phase2, that is, '' for local and remote subnet. You can thus route several different subnets over the tunnel without touching the VPN config

- on the hub FGT, put all tunnel interfaces of the spokes into a zone. If you like, allow intra-zone traffic. For more control, define policies from zone to zone (same to same interface), and differentiate the remote sites by address.

- if one plans ahead one would use one supernet for all remote offices (like so that only one route would need to be pointed at the VPN zone. Much the same effect can be obtained by using named objects in static routes, especially address groups.


Just remember:

- no traffic without explicit policy

- no traffic without valid routes on both sides


"Kernel panic: Aiee, killing interrupt handler!"