Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

traffic from a VPN to anaother

Hi I have a fortigate 200D on which too others VPN arrives. And the two remote VPN to communicate.  On each Phase 2 I declared the adresses from remote sites. And I made a policy rule to authorize VPN1 to VPN2 (and reverse) on the Fortigate 200D... 

I tried to debug but I can't find any solution...


For spoke-to-spoke, you need to take care of 1) phase2 selectors, 2) routing, and 3) policies at all three parties: HUB, spoke1, and spoke2. Perhaps, the spokes don't have a route into the tunnel to get to the other spoke.

To debug at the hub (200D), you need to disable asic offloading on the policies in CLI (set auto-asic-offload disable).  Then you can run sniffer and/or flow debugging.




As I have understood you have two sites which are connected via ipsec tunnels to your 200D FGT, and you want site A to communicate with site B via 200D FGT right?

If so it is very simple you can create an ip-pool on 200D by using a free available IP on your LAN as External IP with type overload. Then create an IPv4 policy for remote LAN A to remote LAN B and under NAT option select the ip-pool you have just created, then clone reverse the policy. Traffic can then propagate between both sites.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors