AnsweredHot![SOLVED] IPSEC VPN and Internet Access (hub n spokes)

Author
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
2020/09/18 05:41:42 (permalink)
0

[SOLVED] IPSEC VPN and Internet Access (hub n spokes)

Hello,
We have an Hub n spoke architecture.
Each spoke (3) can ping networks each other (NAT disabled). When NAT enabled on spoke zone to spoke zone, spokes can't ping each other.
 
At this time, Internet access on spoke sites pass throught their Internet connection (WAN interface on each spokes)
We want to pass Internet access throught HUB to manage all Internet Policies from the HUB.
 
Is it possible? 
Thanks.
Regards.
Waaalex.
 
post edited by waaalex - 2020/10/15 01:24:02
#1
boneyard
Gold Member
  • Total Posts : 273
  • Scores: 14
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: online
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/09/20 10:45:01 (permalink) ☼ Best Answerby waaalex 2020/10/15 01:38:38
5 (1)
yes, that is possible.
 
some things to consider.
 
you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.
 
your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses.
#2
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/09/21 01:26:56 (permalink)
0
Thank you.
I will test this solution on 10/09/2020.
I will mark as answer at this time.
#3
ede_pfau
Expert Member
  • Total Posts : 6356
  • Scores: 539
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/09/21 02:27:12 (permalink)
0
Refering to your original post, to which address do you NAT then? Did you assign IP addresses to both ends of the VPN? might be that this address range is not "known" on the hub, or the phase2 selectors or the policies do not allow them across.
 
For your central internet setup, NAT is only employed on the hub in the outbound policy. No NAT on any spoke.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#4
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/09/21 23:50:39 (permalink)
0
I do not use NAT for hub and spoke.
Did i assign ip adresses? I dont understand, Each forti has IP adress, but for zones, no ip addresses.
Like this (image on attachment)
"For your central internet setup, NAT is only employed on the hub in the outbound policy. No NAT on any spoke."
Ok thanks.
post edited by waaalex - 2020/09/21 23:51:44

Attached Image(s)

#5
boneyard
Gold Member
  • Total Posts : 273
  • Scores: 14
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: online
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/09/27 01:41:31 (permalink)
0
so what exactly is the problem now? because as mentioned NAT is not needed between the spokes.
#6
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/09/27 23:51:06 (permalink)
0
The problem is that i can't browse internet from spoke through hub. 
I will test your first answer on 9 october. I can't do it now : 
"you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.
your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses."
 
Thanks, i will tag this post as answered or will let you know if it does not work.
Many thanks.
 
#7
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/10/09 02:06:20 (permalink)
0
Hello, i'm back on site.
When i put default route through VPN, it does not work.
I can't put 0.0.0.0-0.0.0.0 on phase 2 too.
Can you make me a schema for good understanding?
I can join my configurations if you want.
Regards.
#8
boneyard
Gold Member
  • Total Posts : 273
  • Scores: 14
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: online
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/10/10 00:03:57 (permalink)
0
it helps if you show what you tried and why it didn't work. an error, an observation, ... it is difficult to say anything about a setup with several places for configuration like this with just hearing it doesn't work.
 
your current configuration can be useful to start from, but if you want really in person support step by step then fortinet support is probably a quicker route.
#9
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/10/12 01:23:44 (permalink)
0
Hello,
Here's a schema of what i want.
(I've contacted support but they sent me a documentation that i've already used but don't talking about Internet Browsing.
 
Actually, my spokes can talk each other and can join the hub.
Internet browsing pass through these spokes.
I want to pass Internet Traffic through hub (blue line in schema).
 
My IPsec hub and spoke is route based.
Here's my configs.
 
If i change default route on spoke, i can't join hub and i loose contact with spoke.
You told me : "but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection".
I have to put a static route ON the HUB to the ISP gateway of the SPOKE?
 
You also said : "your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses."
This on phase 2 of the SPOKE ipsec?
 
Another question, policy route can help?
 
Thank you very much.
Regards.
 
 
post edited by waaalex - 2020/10/15 01:36:04

Attached Image(s)

#10
waaalex
Bronze Member
  • Total Posts : 40
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/22 03:31:25
  • Status: offline
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/10/15 01:28:25 (permalink)
0
@boneyard
 
Thank you very much, i finally understood what to do : 
Summary : 
On the HUB : VPN Phase 2 0.0.0.0/0.0.0.0 local and remote (to adapt if there is several phase 2, 0.0.0.0 for local only)
                     Create a policy ZONE_VPN TO WAN with Internet access allowed (NAT)
ON THE SPOKE : Route to HUB public address through SPOKE ISP
                         VPN Phase 2 0.0.0.0/0.0.0.0 local and remote (to adapt if there is several phase 2, 0.0.0.0 for remote only)
                         Default route to ZONE VPN and Blackhole (admin distance 254 for blackhole)
                         Create a policy LAN to ZONE with ALL access
 
We can deny some VLAN as well.
Thank you very much for help. I m not a network specialist (much more system).
Forti Forever ;)
Regards,
Alex.
post edited by waaalex - 2020/10/16 05:02:50
#11
boneyard
Gold Member
  • Total Posts : 273
  • Scores: 14
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: online
Re: IPSEC VPN and Internet Access (hub n spokes) 2020/10/16 04:44:00 (permalink)
0
nice, thanks for sharing.
#12
Jump to:
© 2020 APG vNext Commercial Version 5.5