I have a central site (A) with a static IP and many other sites (B, C and D) that create dialup IPsec tunnels back to site (A)
Subnets at site (A) can reach subnets at sites (B, C and D) and sites (B, C and D) can reach subnets at site (A)
But I have not seen a config or a topic which would allow sites (B, C and D) to learn they can reach each other via site (A)
Static routes and policies would be a good start. Does anyone have a recipe to allow traffic to to route from Site (B) to Site (C) via Site (A)?
In an ideal world it would be great to have a vpn direct between site (B) and Site (C) but as both are on dynamic addresses this would introduce the use of a dynamic DNS service which I would like to avoid
It would be a great feature if site (A) would be able to act as a dynamic DNS
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you seach this forum with "hub and spoke" you would find many discussions exactly the same with your situation.
But it's relatively simple. You need to take care of three things always with IPsec tunnel networks.
1. routing
2. policy
3. phase2 network selector.
at all nodes (FGTs).
For example at FGT-B location, If you want let them connect to like FGT-C location,
1. FGT-B needs to have a route to FGT-C's lan subnet toward the IPSec tunnel to FGT-A as well.
2. The pair of policies to/from the tunnel from/to the lan at FGT-B needs to allow/include the FGT-C's lan subnet(s) not only FGT-A's subnets.
3. Phase2 network selectors between FGT-B and FGT-A needs to include FGT-C's subnet(s).
And you have to do this at all spoke FGTs, at that same time FGT-A's network selectors are matching the changes.
Toshi
I think you are looking for ADVPN.
If you seach this forum with "hub and spoke" you would find many discussions exactly the same with your situation.
But it's relatively simple. You need to take care of three things always with IPsec tunnel networks.
1. routing
2. policy
3. phase2 network selector.
at all nodes (FGTs).
For example at FGT-B location, If you want let them connect to like FGT-C location,
1. FGT-B needs to have a route to FGT-C's lan subnet toward the IPSec tunnel to FGT-A as well.
2. The pair of policies to/from the tunnel from/to the lan at FGT-B needs to allow/include the FGT-C's lan subnet(s) not only FGT-A's subnets.
3. Phase2 network selectors between FGT-B and FGT-A needs to include FGT-C's subnet(s).
And you have to do this at all spoke FGTs, at that same time FGT-A's network selectors are matching the changes.
Toshi
I think I had configured nearly all the steps discussed except for updating the phase2. I'll give this a go and report back.
Thanks for the support, apreciated
Let us know if it still doesn't work.
Toshi
Below is what I think the answer is but I've not been able to make it work yet
Site B config
Create subnet address for Site C
Add to the address group for Site A's VPN (Phase 2 and the static route to site C via site A will be updated as they use the same group)
Add two ipv4 policies, one for outbound and one for inbound site B to site C and site C to site B
Site A Config
add two policies site B to site C and site C to site B via site A to B and C VPNS
Site C Config
Create subnet address for Site B
Add to the address group for Site A's VPN (Phase 2 and the static route to site B via site A will be updated as they use the same group)
Add two ipv4 policies, one for outbound and one for inbound site B to site C and site C to site B
This feels like all the steps but yet I can't see it working
Do you have route toward the tunnel on both B, C sides?
If everything is in place and still doesn't get through, sniff the traffic to find out how far it gets to then run flow debug one hop before.
Toshi
I have a ping running from Site B to Site C and from Site C to Site B
This is what I can see by observing the counters on the policies.
Locally I can see the counters rising for the local interface but noting coming back
On Site A I can see the counters rising for both directions
This means that either data is not leaving site A or both Sites B and C are rejecting incoming data
I've checked the config over a few times now and can't see the error which may mean I am missing a step at Site A or the both sites B and C
I'm not sure how to troubleshoot this. I could do with seeing an activity log or some errors
Created on 02-13-2024 04:05 PM Edited on 02-13-2024 04:06 PM
To be sure, you need to run sniffer at Site A:
diag sniffer packet <tunnel-to-B-int> 'host <ping-destination>' 4 0 l (letter 'l' as in local)
and then
diag sniffer packet <tunnel-to-C-int> 'host <ping-destination>' 4 0 l
But you likely need to disable ASIC offloading at a set of policies between <tunnel-to-B-int> and <tunnel-to-C-int>
config firewall policy
edit x
set auto-asic-offload disable
next
end
(just don't forget to "enable" it again once debug is done. It would affect to the performance)
Sniffer works at CPU level. So if it's offloaded to NPU, they won't show up in the sniffing.
Toshi
I think I am missing a step at Site A.
Currently, I have only created an in and an out policy for Site B to C and from C to B
Apart from creating the two extra policies is there anything else to create at Site A?
Site A will already have working VPN's from Site A to B and from Site A to C
I assume none of the phase2 configs will need to be adjusted here
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.