yes of course ;) now the vpon are established it' s only a routing problem, to don' t do a second vpn. I tested de latter my ideas and it' s ok. need the first

maybe fortios 5 is a bit young the only way is tho do a vpn tunnel mode then create right policies, with vpn as interface mode there' s no way. routes don' t works, and phase2 vpn with source addr and dst addr (like 0.0.0.0/0) don' t established...

...and, as I may add, this applies not only to SSL VPN but to IPsec VPN tunnels as well. It' s just basic routing. Watch out especially for the routing on the remote side.

yes, but you have fortios 4. with fortios 5 I can' t. we tried with my fortigate trainer too, and he said that in fact the phase2 doesn' t work if you put as source addr and dest addr 0.0.0.0/0. (to have a single phase2 to the hq) maybe I have to create a single phase2 for each vpn to each remote fgt, passing to the hq fgt. i' ll try.

Well, you only need to have a tunnel into HQ, and then you assume the role of a local client. Technically, you do a source NAT with an unused IP address from the HQ LAN. This way, the HQ router cannot distinguish your remote host from any other local HQ host and let you route into the branch subnets. To do that, configure - an IP pool with just one IP address - from the HQ subnet, unused, reserved for you - check " NAT" , " dynamic" and select this IP pool in the policy ' yourLAN' ->' HQ' - create static routes to all branch subnets on your FGT, pointing to the HQ tunnel And of course this is all much easier in VPN interface mode than in policy mode. And no, there' s no reason why this setup should not work in FOS 5. I use it myself for administration of a customer' s LAN where I need a local IP address as target for TFTP transmissions (from their switch into my office).

Dear all, This is my first post in the forum. I have a very similar scenario like FTGmaster' s case, except my home router is a Mikrotik RouterOS device. In RouterOS, only policy IPSEC is possible so I cannot use interface mode IPSEC. I have successfully established a VPN link between home and hq, and I can ping any device in the hq lan side. However, I cannot ping any devices in site a, b or c in FTGmaster' s diagram. I think it is a routing problem but I am a newbie to VPN and I have spent days trying to make it work. Is there anyway to achieve the same result with policy-based IPSEC? Or do I have to replace my Mikrotik router with another Fortigate? Thank you guys in advance. Any help is appreciated.