Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
londonnet
New Contributor III

Routing between dial-up IPsec tunnels

I have a central site (A) with a static IP and many other sites (B, C and D) that create dialup IPsec tunnels back to site (A)

 

Subnets at site (A) can reach subnets at sites (B, C and D) and sites (B, C and D) can reach subnets at site (A)

 

But I have not seen a config or a topic which would allow sites (B, C and D) to learn they can reach each other via site (A)

 

Static routes and policies would be a good start. Does anyone have a recipe to allow traffic to to route from Site (B) to Site (C) via Site (A)?

 

In an ideal world it would be great to have a vpn direct  between site (B) and Site (C) but as both are on dynamic addresses this would introduce the use of a dynamic DNS service which I would like to avoid

 

It would be a great feature if site (A) would be able to act as a dynamic DNS

1 Solution
Toshi_Esumi
SuperUser
SuperUser

If you seach this forum with "hub and spoke" you would find many discussions exactly the same with your situation.
But it's relatively simple. You need to take care of three things always with IPsec tunnel networks.
1. routing
2. policy
3. phase2 network selector.
at all nodes (FGTs).


For example at FGT-B location, If you want let them connect to like FGT-C location,
1. FGT-B needs to have a route to FGT-C's lan subnet toward the IPSec tunnel to FGT-A as well.
2. The pair of policies to/from the tunnel from/to the lan at FGT-B needs to allow/include the FGT-C's lan subnet(s) not only FGT-A's subnets.
3. Phase2 network selectors between FGT-B and FGT-A needs to include FGT-C's subnet(s).

And you have to do this at all spoke FGTs, at that same time FGT-A's network selectors are matching the changes.

Toshi

View solution in original post

10 REPLIES 10
Toshi_Esumi

Of course, you need to have tunnel-B int <-> tunnel-C int policy set in addition to tunnel-B int <-> LAN, tunnel-C int <-> LAN at Site A.
That's the condition No.2 I listed at Site A.

You could make a zone including both tunnels then "set intrazone allow" to allow between tunnel traffic though. Then you don't need to set the policies specifically. But you have to reconstruct all policies NOT to use individual tunnel interfaces in the policies.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors