Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Westcana
New Contributor

How to route from branch office wifi network across site to site vpn to head office

I have a site to site VPN between the head office and the branch office that has been working flawlessly for over a year. We have Fortigate 50e's at both ends. The branch office has the built in wifi. At the branch office there is a wifi network that has access to the wired network at that location.  What I want to do is allow the wifi network at the branch office reach the wired network at the head office. So far I have created static routes on both ends pointing from the local subnet to the tunnel interface. I changed the stage 2 vpn tunnel config to allow the subnets at both ends to cross the tunnel. I created policy routes allowing the traffic from both subnets to cross the tunnel.

It is still not working and I'm stumped.

I'd appreciate any suggestions.  Thanks!

2 REPLIES 2
sw2090
Honored Contributor

I do this this way here:

 

S2S Ipsex Phase 2 Selectors are set to 0.0.0.0/0.0.0.0 on both sides.

then Shop has a static route to our lan (needed as reverse path).

HQ has a static route to each subnet we need to reach at the Shop.

then both sides have policies to allow the required traffic to flow.

 

Of course that assumes that all subnets somehow can reach the FortiGate at Shop and vice versa.

Works fine here.

 

I use this way because I need to reach more than one subnet and subnets are too different to cope them with one subnet mask.

Using the p2 selectors in this case would limit you to one remote subnet and one local subnet.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
lobstercreed
Valued Contributor

You can use address groups for the phase 2 selectors to get around the single subnet limitation.  At least that's what I've built and am planning to test tomorrow for a new branch network design.

Labels
Top Kudoed Authors