Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

traffic from a VPN to anaother

Hi I have a fortigate 200D on which too others VPN arrives. And the two remote VPN to communicate.  On each Phase 2 I declared the adresses from remote sites. And I made a policy rule to authorize VPN1 to VPN2 (and reverse) on the Fortigate 200D... 

I tried to debug but I can't find any solution...

Esteemed Contributor III

For spoke-to-spoke, you need to take care of 1) phase2 selectors, 2) routing, and 3) policies at all three parties: HUB, spoke1, and spoke2. Perhaps, the spokes don't have a route into the tunnel to get to the other spoke.

To debug at the hub (200D), you need to disable asic offloading on the policies in CLI (set auto-asic-offload disable).  Then you can run sniffer and/or flow debugging.




As I have understood you have two sites which are connected via ipsec tunnels to your 200D FGT, and you want site A to communicate with site B via 200D FGT right?

If so it is very simple you can create an ip-pool on 200D by using a free available IP on your LAN as External IP with type overload. Then create an IPv4 policy for remote LAN A to remote LAN B and under NAT option select the ip-pool you have just created, then clone reverse the policy. Traffic can then propagate between both sites.

Top Kudoed Authors