Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
waaalex
New Contributor III

[SOLVED] IPSEC VPN and Internet Access (hub n spokes)

Hello,

We have an Hub n spoke architecture.

Each spoke (3) can ping networks each other (NAT disabled). When NAT enabled on spoke zone to spoke zone, spokes can't ping each other.

 

At this time, Internet access on spoke sites pass throught their Internet connection (WAN interface on each spokes)

We want to pass Internet access throught HUB to manage all Internet Policies from the HUB.

 

Is it possible? 

Thanks.

Regards.

Waaalex.

 

1 Solution
boneyard
Valued Contributor

yes, that is possible.

 

some things to consider.

 

you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.

 

your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses.

View solution in original post

11 REPLIES 11
boneyard
Valued Contributor

yes, that is possible.

 

some things to consider.

 

you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.

 

your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses.

waaalex
New Contributor III

Thank you.

I will test this solution on 10/09/2020.

I will mark as answer at this time.

ede_pfau
Esteemed Contributor III

Refering to your original post, to which address do you NAT then? Did you assign IP addresses to both ends of the VPN? might be that this address range is not "known" on the hub, or the phase2 selectors or the policies do not allow them across.

 

For your central internet setup, NAT is only employed on the hub in the outbound policy. No NAT on any spoke.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
waaalex
New Contributor III

I do not use NAT for hub and spoke.

Did i assign ip adresses? I dont understand, Each forti has IP adress, but for zones, no ip addresses.

Like this (image on attachment)

"For your central internet setup, NAT is only employed on the hub in the outbound policy. No NAT on any spoke."

Ok thanks.

boneyard
Valued Contributor

so what exactly is the problem now? because as mentioned NAT is not needed between the spokes.

waaalex
New Contributor III

The problem is that i can't browse internet from spoke through hub. 

I will test your first answer on 9 october. I can't do it now : 

"you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection. your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses."

 

Thanks, i will tag this post as answered or will let you know if it does not work.

Many thanks.

 

waaalex
New Contributor III

Hello, i'm back on site.

When i put default route through VPN, it does not work.

I can't put 0.0.0.0-0.0.0.0 on phase 2 too.

Can you make me a schema for good understanding?

I can join my configurations if you want.

Regards.

boneyard
Valued Contributor

it helps if you show what you tried and why it didn't work. an error, an observation, ... it is difficult to say anything about a setup with several places for configuration like this with just hearing it doesn't work.

 

your current configuration can be useful to start from, but if you want really in person support step by step then fortinet support is probably a quicker route.

waaalex
New Contributor III

Hello,

Here's a schema of what i want.

(I've contacted support but they sent me a documentation that i've already used but don't talking about Internet Browsing.

 

Actually, my spokes can talk each other and can join the hub.

Internet browsing pass through these spokes.

I want to pass Internet Traffic through hub (blue line in schema).

 

My IPsec hub and spoke is route based.

Here's my configs.

 

If i change default route on spoke, i can't join hub and i loose contact with spoke.

You told me : "but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection".

I have to put a static route ON the HUB to the ISP gateway of the SPOKE?

 

You also said : "your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses."

This on phase 2 of the SPOKE ipsec?

 

Another question, policy route can help?

 

Thank you very much.

Regards.

 

 

Labels
Top Kudoed Authors