I have a central site (A) with a static IP and many other sites (B, C and D) that create dialup IPsec tunnels back to site (A)
Subnets at site (A) can reach subnets at sites (B, C and D) and sites (B, C and D) can reach subnets at site (A)
But I have not seen a config or a topic which would allow sites (B, C and D) to learn they can reach each other via site (A)
Static routes and policies would be a good start. Does anyone have a recipe to allow traffic to to route from Site (B) to Site (C) via Site (A)?
In an ideal world it would be great to have a vpn direct between site (B) and Site (C) but as both are on dynamic addresses this would introduce the use of a dynamic DNS service which I would like to avoid
It would be a great feature if site (A) would be able to act as a dynamic DNS
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you seach this forum with "hub and spoke" you would find many discussions exactly the same with your situation.
But it's relatively simple. You need to take care of three things always with IPsec tunnel networks.
1. routing
2. policy
3. phase2 network selector.
at all nodes (FGTs).
For example at FGT-B location, If you want let them connect to like FGT-C location,
1. FGT-B needs to have a route to FGT-C's lan subnet toward the IPSec tunnel to FGT-A as well.
2. The pair of policies to/from the tunnel from/to the lan at FGT-B needs to allow/include the FGT-C's lan subnet(s) not only FGT-A's subnets.
3. Phase2 network selectors between FGT-B and FGT-A needs to include FGT-C's subnet(s).
And you have to do this at all spoke FGTs, at that same time FGT-A's network selectors are matching the changes.
Toshi
Created on 02-14-2024 04:42 PM Edited on 02-14-2024 04:44 PM
Of course, you need to have tunnel-B int <-> tunnel-C int policy set in addition to tunnel-B int <-> LAN, tunnel-C int <-> LAN at Site A.
That's the condition No.2 I listed at Site A.
You could make a zone including both tunnels then "set intrazone allow" to allow between tunnel traffic though. Then you don't need to set the policies specifically. But you have to reconstruct all policies NOT to use individual tunnel interfaces in the policies.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.