Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Hub and Spoke - I don´t get it
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hub and Spoke - I don´t get it
Hi everybody,
I have big problems in understanding hub and spoke VPN.
The Hub i a FGT 60C with OS 5.2 Patch 11
The Spokes are two third-party Routers (AVM Fritzbox 4020, german manufacturer) as dialup-IPSEC-connections
What i have is:
two route-based IPSEC-Tunnels from the Fortigate to those two routers.
I can ping from the Network behind the hub to the Network behind each spoke and from each Network behind the spoke the the Network behind the hub
so far, so good but i am unable to get a ping from spoke to spoke. What I tried:
- create a Zone containing both spoke ipsec Interfaces and disable "block intra-Zone-traffic"
- create a Zone containing both spoke ipsec Interface, leave "block intra-Zone-traffic" and create a policy from Zone to Zone always all accept, NAT enabled
- create each pair of security policies spoke1 to spoke2 spokelan1 to spokelan2 akways all accept, NAT enbaled
whatever I´m trying, i can´t get this working
When i trace data package from spoke1 lan Client to spoke2 it Ends at the spoke1 router, so i assume the packet is being transfered into the tunnel
Any good advice?
Regards
Andreas Maier
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm also from germany, and I know FritzBoxes ...
Did you set up the route to the other spokes lan to point at the ipsec tunnel in each spoke?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do the following,
1> cli diag debug flow
2 >monitor the route table for the SRC/DST ( the diag debug flow will show what matched or dropped )
3> check fwpolicy( the diag debug flow would show what's match if any )
4>check the phase2 SA for the spoke1 to hub and spoke2 for the interesting traffic between the SRC/DST
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi together,
yes, i configured the Fritzboxes following that article you mentioned.
Diag debug flow shows me this:
FGT60C-# id=20085 trace_id=5 func=print_pkt_detail line=4479 msg="vd-root received a packet(proto=1, 192.168.124.101:1->192.168.121.11:8) from FritzBox4_0 . code=8, type=0, id=1, seq=13." id=20085 trace_id=5 func=resolve_ip_tuple_fast line=4542 msg="Find an existing s ession, id-0002bf59, original direction" id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec inte rface-FritzBox1_0" id=20085 trace_id=5 func=ipsec_common_output4 line=625 msg="No matching IPsec se lector, drop" id=20085 trace_id=6 func=print_pkt_detail line=4479 msg="vd-root received a pack et(proto=1, 192.168.124.101:1->192.168.121.11:8) from FritzBox4_0. code=8, type= 0, id=1, seq=14." id=20085 trace_id=6 func=resolve_ip_tuple_fast line=4542 msg="Find an existing s ession, id-0002bf59, original direction" id=20085 trace_id=6 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec inte rface-FritzBox1_0" id=20085 trace_id=6 func=ipsec_common_output4 line=625 msg="No matching IPsec se lector, drop"
As far as i can see my traffic wants to be routet to the right interface (192.168.121.0 is behind FritzBox1 and 192.168.124.0 is behind Fritzbox4) but then dropped because of "No matching IPsec se lector" but why?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"No matching IPsec selector, drop" is usually a problem with local and remote networks in the ipsec phase 2.
I dont know exactly how this is configured in the FritzBox routers.
You have to set up 0.0.0.0/0 as local and remote in phase2 or create two phase2 rules matching source and target network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, look your PH2 src/dst subnet over at the fritzbox and match the fgt to the cfg.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,813 -
FortiClient
1,789 -
5.2
801 -
FortiManager
746 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
46 -
DNS
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1747 | |
| 1114 | |
| 761 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.