Community discussions

 
jml
newbie
Topic Author
Posts: 39
Joined: Wed May 15, 2013 3:22 am

VPN Help - Hub and Spoke w/ Aggregate subnet

Tue Oct 22, 2013 7:22 pm

Hi,
I have a Fortigate 60D acting has a VPN concentrator and hub, and I have several sites that I want to be able to talk to each other using IPSec VPNs.

In order to not have to maintain separate VPN tunnels for each, I've set the VPNs up so that the destination selector is an aggregate subnet, 192.168.0.0/16

On each site, I have the VPN setup with its local subnet, so as an example:

0 src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/16
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=xxx.xxx.xxx.xxx
sa-dst-address=yyy.yyy.yyy.yyy proposal=default priority=0

etc..

The VPN tunnel comes up fine on the Mikrotik and I can ping across to the other sites.
The problem I'm having is that any device in 192.168.88.x can no longer access the router at 192.168.88.1.
Is there a way to exclude this from going across the VPN (which it what it seems like it is doing).
I would have thought the Mikrotik would be smart enough to not route its own network across the VPN.

Thanks.

-- James
 
jml
newbie
Topic Author
Posts: 39
Joined: Wed May 15, 2013 3:22 am

Re: VPN Help - Hub and Spoke w/ Aggregate subnet

Tue Oct 22, 2013 7:49 pm

It seems I might need an ipsec policy with action none for the local subnet.
I've used the following but I still am not having any success:

1 src-address=192.168.88.0/24 src-port=any dst-address=192.168.88.0/24
dst-port=any protocol=all action=none level=use ipsec-protocols=esp
tunnel=yes sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=yyy.yyy.yyy.yyy
proposal=default priority=0

Who is online

Users browsing this forum: MSN [Bot] and 81 guests