I looked at this last night but was worried because all the spokes in the doc are on the same subnet (10.1.0.0/16) which is not the case in my example. Also I have no control over the spoke routers other than to advise the downstream staff to add routing.

Can it be as simple as adding IP pool (with either NAT pool or PAT) on WAN router, and then create a policy that picks up anything from VLANB and route to VLANA?

Thanks for your help

No. They are all /24s and completely different subnets, just happen to have same 10.1 for the first 16bits.

You have to make the change on the spoke side. Otherwise how can the remote side FGT can know where to route the packet to if the dst IP is in the other side of remote? It wouldn't break anything since it currently doesn't route at all anyway. Nothing to lose.

What phase 2 selectors are you using on your VPN Tunnels?

If they are local address 0.0.0.0/0 and Remote address 0.0.0.0/0 you can achieve your goal pretty easy. No NATting needed.

Create two firewall policies on your 30e -or- put the VPN tunnels in the same zone:

- VPN Tunnel A to VPN Tunnel B

- VPN Tunnel B to VPN Tunnel A

Add static route on site B:

10.87.125.0/24 to VPNTunnelB

Add static route on site A:

172.16.24.0/24 to VPNTunnelA

If you have more narrowed down phase2 selectors, you'd need to change them or add an additional phase2 selector.

Oh this is interesting, so in Phase2 instead of specifying the local and remote addresses I can just use 0.0.0.0/0 which will make PH2 generic when having dialup user set in PH1?

I have address names setup for the local and remote networks for each VPN but when I try setup a Zone | interface members all I see are a vlan I created or guestwifi?  Why?

Thanks everyone for your help

if phase2 selectors are set to 0.0.0.0/0.0.0.0 then all you need is two policies. One that allows traffic from VPNA to B and one vice versa. Since they are on the same FGt you don't even need to add routes - they're already there.

Everyone, thanks for your help.  

Several things here: For PH2 tunnels, the tunnels will not connect if I have them set to 0.0.0.0/0 for remote and local address on FTG. So I have 2 x separate tunnels, each with different PSK and local and remote addresses hard coded so to speak. The tunnels work & I can ping my internal devices.

I created 2 x FW policies, one for each tunnel to reach internal devices (10.3.4.0) eg: VPNA --> Internal Internal --> VPNA

VPNB --> Internal Internal --> VPNB

This works as expected.

Now for routing between VPNA and VPNB On FTG 10.3.4.0 I created 1 x FW policy VPNA --> VPNB VPNB --> VPNA

On the remote routers I created a static route: 10.87.125.0 --> next hop gw 172.16.24.0 --> next hop gw

When I do a tracert from 10.87.125.11 to 172.16.24.100 request always goes out internet & not through the tunnel, no matter what IP I use as my next hop. I tried external IP for each VPN, next hop of the router ie def gw, nothing seems to work. The two remote routers are not FTG devices.

So I'm lost on how to get this piece working.

Tips

You need phase2 set for 0.0.0.0/0 on all hub and spoke side,

if you enable a routing protocol and assign a /30 or /31 , your routes would be in place

e.g 

HUB to SITEA 

192.0.2.1/31---192.0.2.2/31

HUB-to-SITEB

192.0.2.3/31---192.0.2.4/31

"config router rip"

   config neighbor 

      edit 1 

              set ip  x.x.x.x

      edit 2 

              set ip y.y.y.y

end

  from cli on all fortigates where you have the /31 located at

Ken Felix