I have a Fortigate 60D acting has a VPN concentrator and hub, and I have several sites that I want to be able to talk to each other using IPSec VPNs.
In order to not have to maintain separate VPN tunnels for each, I've set the VPNs up so that the destination selector is an aggregate subnet, 192.168.0.0/16
On each site, I have the VPN setup with its local subnet, so as an example:
0 src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/16
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=xxx.xxx.xxx.xxx
sa-dst-address=yyy.yyy.yyy.yyy proposal=default priority=0
The VPN tunnel comes up fine on the Mikrotik and I can ping across to the other sites.
The problem I'm having is that any device in 192.168.88.x can no longer access the router at 192.168.88.1.
Is there a way to exclude this from going across the VPN (which it what it seems like it is doing).
I would have thought the Mikrotik would be smart enough to not route its own network across the VPN.