Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎01-05-2025 05:16 AM

Ipsec over SDWAN configuration issue for another subnet

Hi All,

 

Reqirements: -

I want to access Branch2 to network from Branch1 via head quater. configred Ipsec over sdwan everyting working fine my according as per the lab digram. the problem which i am facing, while accessing the branch2 network from branch1 via HQ.

I have added branch2 subnet(192.168.3.0/24) in phase2 selector of tunnel and created policy and route. unable to access branch2 network. 

If I select local and remote subnet 0.0.0.0/0, 0.0.0.0/0 then working fine. but when I defined network in Phase 2 selector then doesn't work. however traffic is sending via tunne. when I check dia sniffer command.

 

Can you please tell me where is getting worng. I add more subnet in phase two selector of tunnel.

 

What  I am able to access, not able to access are as follows.

(Branch2-PC2) ping 192.168.1.10  to 192.168.1.10  (HQ)---> reachable

(Branch-PC2) ping 192.168.3.10  to 192.168.3.10 (Branch2) ----> not reachble, even after defining local and remote subnet.

 

My goal is access branch2 network from Branch1 via Head quater office, how can I acheive it . I dont want to select local 0.0.0.0 and remote 0.0.0.0.

Ipsec over SDWAn.pngBranch1 to HQ and HQ to Branch2 

Labels:
219
0 Kudos
4 REPLIES 4
kaman
Staff
Staff

Created on ‎01-05-2025 06:06 AM

Hi Umesh,

Please check under IPSec-Monitor if the new Phase2 selectors you created are showing as up or down.

Also, confirm which routing protocol is being used: BGP or static routing.

If the status is up, verify the routing table for the destination 192.168.3.10 to ensure traffic is being routed via the tunnel.

Run the below debug commands and check the traffic was going out via the correct policy or not.

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter addr < destination - IP >
diagnose debug flow filter proto < 1 or 17 or 6 > ( optional ) where 1=ICMP, 6 = TCP, 17 = UDP…
diagnose debug flow trace start 1000
diagnose debug enable

Hope it helps!

Regards,
Aman

201
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎01-05-2025 06:07 AM Edited on ‎01-05-2025 06:11 AM

Hi,

To be honest, using 0.0.0.0/0 selectors is the most flexible config.

You can configure/control everything from routes and firewall rules using these selectors.

 

Well if you dont want to use it like this you would need the following, in HQ and both branches:

- selectors

- routes

- fw rules


In B1 towards HQ, selectors in the IPsec config , routes and fw rules (for/to/between 192.168.2.0, 192.168.3.0/24)

In HQ towards B1, selectors in the IPsec config, routes and fw rules

In HQ towards B2, selectors in the IPsec config, routes and fw rules

In HQ between IPsec B1 <> B2, fw rules 

In B2 towards HQ, selectors in the IPsec config, routes and fw rules


You could always look into ADVPN in order for the IPsec to be built dynamically directly between the branches, not using HQ for this traffic.

"jack of all trades, master of none"
"jack of all trades, master of none"
196
0 Kudos
Umesh
Contributor
In response to funkylicious

Created on ‎01-11-2025 05:40 AM

Hello Dear,

 

Still I am not able to access remote Branch network from BR1 to BR2

BR1 Phase 2 selector I have added network

At BR1(Dehli) Firewall as per the digram

Local subnet 192.168.2.0/24 remote subnet 192.168.1.0/24

Local subnet 192.168.2.0/24 remote subnet 192.168.3.0/24

Created static route 192.168.3.0/24 tunnel interface

 

At HQ Firewall (mumbai) 

Local subnet 192.168.1.0/24 remote subnet 192.168.2.0/24

Local subnet 192.168.2.0/24 remote subnet 192.168.3.0/24

 

At BR2 (Banglore location)

local subnet 192.168.3.0/24 remote subnet 192.168.1.0/24

local subnet 192.168.3.0/24 Remote subnet 192.168.2.0/24

 

Created everting like static route and policy but unfortunately doesn't work.

 

please refer the below digram for ref.

 

Note my intention is to access BR2 network from BR1. Need your help, what am I missing here.

 

Kindly note that - when I select phase 2 selector local and remote subnet then it works fine for me and I am able to access network of BR2 from BR1.

Only the problem take place when I choose mulitple subnet in phase 2 selector.

 

ipsec banglore.jpeg.jpg

 

 

78
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Umesh

Created on ‎01-13-2025 01:22 AM

Hi,

In HQ you would need selectors like this:

- tunnel HQ to Dehli:

local:192.168.1.0./24, remote:192.168.2.0/24

local:192.168.3.0/24, remote:192.168.2.0/24

 

- tunnel HQ to Banglore:

local:192.168.3.0/24, remote:192.168.1.0/24

local:192.168.3.0/24, remote:192.168.2.0/24

 

In BR1:

- tunnel BR1 to HQ:

local:192.168.2.0/24, remote:192.168.1.0/24

local:192.168.2.0/24, remote:192.168.3.0/24

 

in BR2:

- tunnel BR2 to HQ:

local:192.168.3.0/24, remote:192.168.1.0/24

local:192.168.3.0/24, remote:192.168.2.0/24


You could also create objects/groups with these networks and reference the group in a single selector.

But as I stated before, in my opinion you are making life hard for yourself and I would just go for 0.0.0.0/0 as selectors for all ipsec tunnels and control everything from firewall rules and routes.

"jack of all trades, master of none"
"jack of all trades, master of none"
55
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.