Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AndreasMaier
New Contributor

Connect FortiAPs with Site-2-Site-VPN

Hi everybody,

 

i try to get the following setup to work but i can´t find a solution:

 

i have a FGT-60C in the headquarter and a FGT-60D in another office. Both are connected with site-2-site VPN interface mode.

I also have 3 FortiAP 14C connected to headquarters 60C with chapwap.

 

Is it possible to connect the FortiAPs with the existing site-2-site VPN? The remote offices (FortiAPs) should be able to reach the network behind the 60D unit

 

Regards,

 

Andreas

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

As long as routes&policies exist on both sides and connected over the vpn tunnel, it should work. Not working?

AndreasMaier

I´m afraid it does not. But i guess, missing routes and policies are the reason. But I am not sure which routes and policies have to be set.

I set up the site2site vpn with the wizard, so there are 2 policies, internal to ipsec tunnel interface and ipsec tunnel interface to internal. And a route forcing the remote office´s LAN through the ipsec tunnel interface.

 

What policies and routes have to be added to connect the remote office to the forti aps and the aps to the remote office?

Toshi_Esumi
Esteemed Contributor III

Internal interface generally doesn't include wifi interface (associated with SSID) unless you changed from the default 60c config. Either you need to attach the wifi interface to the existing policy or create a zone to include both and use it in the policy. Make sure your vpn config (IPSec phase2-interface) includes the wifi subnets in networks on both 60x either source or destination. You can add that part via CLI once you confirmed what you have now.

Then check how far an end device can reach toward the other side with traceroute.

Labels
Top Kudoed Authors