Routing between dial-up IPsec tunnels

londonnet · ‎02-12-2024

I have a central site (A) with a static IP and many other sites (B, C and D) that create dialup IPsec tunnels back to site (A)

Subnets at site (A) can reach subnets at sites (B, C and D) and sites (B, C and D) can reach subnets at site (A)

But I have not seen a config or a topic which would allow sites (B, C and D) to learn they can reach each other via site (A)

Static routes and policies would be a good start. Does anyone have a recipe to allow traffic to to route from Site (B) to Site (C) via Site (A)?

In an ideal world it would be great to have a vpn direct between site (B) and Site (C) but as both are on dynamic addresses this would introduce the use of a dynamic DNS service which I would like to avoid

It would be a great feature if site (A) would be able to act as a dynamic DNS

Toshi_Esumi · ‎02-12-2024

If you seach this forum with "hub and spoke" you would find many discussions exactly the same with your situation.
But it's relatively simple. You need to take care of three things always with IPsec tunnel networks.
1. routing
2. policy
3. phase2 network selector.
at all nodes (FGTs).

For example at FGT-B location, If you want let them connect to like FGT-C location,
1. FGT-B needs to have a route to FGT-C's lan subnet toward the IPSec tunnel to FGT-A as well.
2. The pair of policies to/from the tunnel from/to the lan at FGT-B needs to allow/include the FGT-C's lan subnet(s) not only FGT-A's subnets.
3. Phase2 network selectors between FGT-B and FGT-A needs to include FGT-C's subnet(s).

And you have to do this at all spoke FGTs, at that same time FGT-A's network selectors are matching the changes.

Toshi

View solution in original post

AEK · ‎02-12-2024

I think you are looking for ADVPN.

https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/985659/advpn-and-shortcut-pa...

AEK

Toshi_Esumi · ‎02-12-2024

If you seach this forum with "hub and spoke" you would find many discussions exactly the same with your situation.
But it's relatively simple. You need to take care of three things always with IPsec tunnel networks.
1. routing
2. policy
3. phase2 network selector.
at all nodes (FGTs).

For example at FGT-B location, If you want let them connect to like FGT-C location,
1. FGT-B needs to have a route to FGT-C's lan subnet toward the IPSec tunnel to FGT-A as well.
2. The pair of policies to/from the tunnel from/to the lan at FGT-B needs to allow/include the FGT-C's lan subnet(s) not only FGT-A's subnets.
3. Phase2 network selectors between FGT-B and FGT-A needs to include FGT-C's subnet(s).

And you have to do this at all spoke FGTs, at that same time FGT-A's network selectors are matching the changes.

Toshi

londonnet · ‎02-12-2024

I think I had configured nearly all the steps discussed except for updating the phase2. I'll give this a go and report back.

Thanks for the support, apreciated

Toshi_Esumi · ‎02-12-2024

Let us know if it still doesn't work.

Toshi

londonnet · ‎02-13-2024

Below is what I think the answer is but I've not been able to make it work yet

Site B config

Create subnet address for Site C

Add to the address group for Site A's VPN (Phase 2 and the static route to site C via site A will be updated as they use the same group)

Add two ipv4 policies, one for outbound and one for inbound site B to site C and site C to site B

Site A Config

add two policies site B to site C and site C to site B via site A to B and C VPNS

Site C Config

Create subnet address for Site B

Add to the address group for Site A's VPN (Phase 2 and the static route to site B via site A will be updated as they use the same group)

Add two ipv4 policies, one for outbound and one for inbound site B to site C and site C to site B

This feels like all the steps but yet I can't see it working

Toshi_Esumi · ‎02-13-2024

Do you have route toward the tunnel on both B, C sides?

If everything is in place and still doesn't get through, sniff the traffic to find out how far it gets to then run flow debug one hop before.

Toshi

londonnet · ‎02-13-2024

I have a ping running from Site B to Site C and from Site C to Site B

This is what I can see by observing the counters on the policies.

Locally I can see the counters rising for the local interface but noting coming back

On Site A I can see the counters rising for both directions

This means that either data is not leaving site A or both Sites B and C are rejecting incoming data

I've checked the config over a few times now and can't see the error which may mean I am missing a step at Site A or the both sites B and C

I'm not sure how to troubleshoot this. I could do with seeing an activity log or some errors

Toshi_Esumi · ‎02-13-2024

To be sure, you need to run sniffer at Site A:
diag sniffer packet <tunnel-to-B-int> 'host <ping-destination>' 4 0 l (letter 'l' as in local)

and then

diag sniffer packet <tunnel-to-C-int> 'host <ping-destination>' 4 0 l

But you likely need to disable ASIC offloading at a set of policies between <tunnel-to-B-int> and <tunnel-to-C-int>

config firewall policy

edit x

set auto-asic-offload disable

end
(just don't forget to "enable" it again once debug is done. It would affect to the performance)

Sniffer works at CPU level. So if it's offloaded to NPU, they won't show up in the sniffing.

Toshi

londonnet · ‎02-14-2024

I think I am missing a step at Site A.

Currently, I have only created an in and an out policy for Site B to C and from C to B

Apart from creating the two extra policies is there anything else to create at Site A?

Site A will already have working VPN's from Site A to B and from Site A to C

I assume none of the phase2 configs will need to be adjusted here

Thanks