- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Hub and Spoke - I don´t get it
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hub and Spoke - I don´t get it
Hi everybody,
I have big problems in understanding hub and spoke VPN.
The Hub i a FGT 60C with OS 5.2 Patch 11
The Spokes are two third-party Routers (AVM Fritzbox 4020, german manufacturer) as dialup-IPSEC-connections
What i have is:
two route-based IPSEC-Tunnels from the Fortigate to those two routers.
I can ping from the Network behind the hub to the Network behind each spoke and from each Network behind the spoke the the Network behind the hub
so far, so good but i am unable to get a ping from spoke to spoke. What I tried:
- create a Zone containing both spoke ipsec Interfaces and disable "block intra-Zone-traffic"
- create a Zone containing both spoke ipsec Interface, leave "block intra-Zone-traffic" and create a policy from Zone to Zone always all accept, NAT enabled
- create each pair of security policies spoke1 to spoke2 spokelan1 to spokelan2 akways all accept, NAT enbaled
whatever I´m trying, i can´t get this working
When i trace data package from spoke1 lan Client to spoke2 it Ends at the spoke1 router, so i assume the packet is being transfered into the tunnel
Any good advice?
Regards
Andreas Maier
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm also from germany, and I know FritzBoxes ...
Did you set up the route to the other spokes lan to point at the ipsec tunnel in each spoke?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do the following,
1> cli diag debug flow
2 >monitor the route table for the SRC/DST ( the diag debug flow will show what matched or dropped )
3> check fwpolicy( the diag debug flow would show what's match if any )
4>check the phase2 SA for the spoke1 to hub and spoke2 for the interesting traffic between the SRC/DST
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi together,
yes, i configured the Fritzboxes following that article you mentioned.
Diag debug flow shows me this:
FGT60C-# id=20085 trace_id=5 func=print_pkt_detail line=4479 msg="vd-root received a packet(proto=1, 192.168.124.101:1->192.168.121.11:8) from FritzBox4_0 . code=8, type=0, id=1, seq=13." id=20085 trace_id=5 func=resolve_ip_tuple_fast line=4542 msg="Find an existing s ession, id-0002bf59, original direction" id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec inte rface-FritzBox1_0" id=20085 trace_id=5 func=ipsec_common_output4 line=625 msg="No matching IPsec se lector, drop" id=20085 trace_id=6 func=print_pkt_detail line=4479 msg="vd-root received a pack et(proto=1, 192.168.124.101:1->192.168.121.11:8) from FritzBox4_0. code=8, type= 0, id=1, seq=14." id=20085 trace_id=6 func=resolve_ip_tuple_fast line=4542 msg="Find an existing s ession, id-0002bf59, original direction" id=20085 trace_id=6 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec inte rface-FritzBox1_0" id=20085 trace_id=6 func=ipsec_common_output4 line=625 msg="No matching IPsec se lector, drop"
As far as i can see my traffic wants to be routet to the right interface (192.168.121.0 is behind FritzBox1 and 192.168.124.0 is behind Fritzbox4) but then dropped because of "No matching IPsec se lector" but why?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"No matching IPsec selector, drop" is usually a problem with local and remote networks in the ipsec phase 2.
I dont know exactly how this is configured in the FritzBox routers.
You have to set up 0.0.0.0/0 as local and remote in phase2 or create two phase2 rules matching source and target network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, look your PH2 src/dst subnet over at the fritzbox and match the fgt to the cfg.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- Weird issue with Fortinet 199 Views
- Forticlient Radius Authentication Across IPSEC Tunnel 284 Views
- FortiMangaer and FGT Hub migration issues... 123 Views
- Hub-Spoke With Redundant Tunnels 98 Views
- Multiple Site to Site vs Hub... 163 Views
Labels
-
FortiGate
6,508 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
72 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.