- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Hub and spoke configuration problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 03-23-2009 07:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hub and spoke configuration problem
I tried a hub and spoke configuration with 3 fortigate equipments.
So the configuration is the following:
HUB: internal network 192.168.222.0/24 external static ip
SPOKE1: internal network 192.168.105.0/24 external dialup-user
SPOKE2: internal network 192.168.98.0/24 external dialup-user
what works:
SPOKE1 ---VPN --- HUB
SPOKE2 ---VPN --- HUB
I' m using policy based VPN.
what not:
SPOKE1---HUB---SPOKE2
from the network 192.168.105.0/24 to 192.168.98.0/24
Error:
No matching IPsec selector, drop
on the spoke which tries to transmit.
i understand the error it comes from the fact that i put quick mode selector on the spoke source : 192.168.105.0/24 and destination 192.168.222.0/24. It is obvious that it will not work but how it works?
If I put quick mode selector 192.168.0.0/16 source and destination the hub will drop the VPN connections because it has two VPN connections with same selector.
I used the documentation FortiGateâ„¢ IPSec VPN Version 3.0 MR5 with hub-and-spoke configuration on policy based VPN. I even set up the concentrator but anyway the problem is at the spoke not the hub.
I' m open to any ideas. Or any documentation which tackles this problem in detail.
Thank you for any input.
Please ask if you need any details.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do ur routes look like?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With policy based, you will not see any routes. I would highly recommend interface mode tunnels.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whoops missed that...yeah i use interface mode/route based and it works great.
Not applicable
Created on 03-24-2009 02:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all your input. As I was saying I' m not proficient in interface mode VPN but I tried it. And it doesn' t work.
What I did was the following:
-At hub:
VPN interface mode
policy for in and out
and I build a zone to ease my configuration
At Spoke
VPN interface mode
policy for in and out
route for the aggregate network
All well for the first spoke (and that is working) but when I tried to build the second I realized that in configuring the VPN the configuration was the same. This is a big problem how does the hub differentiate between the two connections????
Thanks again for your responses.
Again if you need any more data I am more than happy to provide.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under ' Network > Interface' , you will see the new interfaces. (You may need to click the blue arrow next to the major interface first) You will need to give both sides IP addresses on the same network. Once that is done, you can now add static routes between the sites. This will prevent the FGT routing the remote traffic out of the default gateway.
Hope that helps.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 03-24-2009 02:34 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for help.
I am amazed but it works.
So on the HUB i put ONE interface mode VPN and all the spokes connect to that and everything works.
Thanks one more question what if i want one or more different domains meaning:
SPOKE1_D1-------| |
SPOKE2_D1-------|HUB |
SPOKE1_D2-------| |
SPOKE2_D2-------| |
And the spokes from the same domain see each other but not from different domains how it can be done? I am interested if you can use two or more interface based VPN on the hub and to choose from the spoke to what VPN interface to connect. (If yes how? if no why?).
Thanks again for all your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all the VPNs into the hub are interface based, then you create policies deciding who talks to whom. No policy, no communication.
For example, even if two domains are coming in through one tunnel, you will need a policy from and to the same interface with the source being one IP range, and the destination being the other.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- Fortinac DHCPD service stops working 25 Views
- Issue resolving www.epicagames.com 62 Views
- Setting Up FortiGate DDNS Behind ZTE... 129 Views
- Help Needed: DDNS Not Working and... 233 Views
- Deployment of FortiSwitch ACLs through Fortimanager? 69 Views
Labels
-
FortiGate
6,920 -
FortiClient
1,365 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
436 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
279 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
122 -
FortiGuard
111 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
83 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 820 | |
| 446 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.