Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JaniH
New Contributor

Policy based VPN's and IPSec Concentrator

Hi,

 

We've four different sites that needs to have network traffic to go from site to other and if I've understanded correctly IPSec concentrator is the thing I need. Sites connect to HQ main FW with policy based IPSec tunnels and I have added the site within same concentrator, but the traffic is going from site to another.

 

What I'm missing here? Do I need configure ADVPN or some other stuff to policies, phase 1 or phase 2 configurations? Or is my approach all wrong? Traffic doesn't need to go straight from site to site, but it can goes through HQ's main firewall.

 

KR,

Jani

3 REPLIES 3
romanr
Valued Contributor

Hi,

 

policy based VPNs and VPN concentrator are quite a bit outdated.

ADVPN is great, but I guess in your environment might be a real overkill.

 

For an easy setup in my opinion you should:

- Create interface based vpn tunnels

- Put all VPN tunnels on the headquarter side into a zone (allow intrazone traffic!) (Actually one shoudl always use zones ;) )

- Setup routing accordingly

-> So all Subsidiaries need to have all the other Subnets pointing to Headquarter.

 

That's it.

 

Br,

Roman

 

 

JaniH
New Contributor

Hi Roman.

 

I think that too but the documentation regarding the concentrator aren't that clear what it does requires to work.

 

This is one possibility but I'm not sure is it right way to go with this setup as it is up and running and the whole setup contains 40 different sites so in future it's possibility that all of these sites need to site to site traffic. Also most of the sites have mobile routers and dynamic external IP's (sites are really small but VPN Client connection isn't possibility).

 

This configuration is needed as the phone system requires internal calls to go p2p from client to client.

 

Br,

Jani

romanr
Valued Contributor

Hi,

 

policy based VPNs are from earlier Fortinet days. They are not used anymore for new deployments. So I think all documentation you found about it will target FortiOS version before 5 (or mainly before 4).

 

ADVPN requires dynamic routing via iBPG and a more complex setup - a lot of work via the command line. And also troubleshooting won't be more complex. So you should really know what you do, when you go that way.

 

Br,Roman

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors