Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Hub and Spoke Topology

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 888 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skacem
      last edited by skacem

      Hello

      we tried to configure the IPSec Hub To Spoke topology, with a Fortigate as Hub, and PfSense as Spokes.

      the Hub contains a single Tunnel, so point to multipoint
      we've configured the Tunnel interface IP as 10.1.1.1 and the peer IP as 10.1.1.254/24
      Fortinet names the IP network of the Tunnel interfaces as Overlay, and recommends using the last network address not assigned to a Spoke like the Hub peer, but with the correct Overlay network mask.

      on the PfSense Spokes side, we used Route-based IPsec (VTI)
      Spoke1
      Local Tunnel IP: 10.1.1.2
      Remote Tunnel IP: 10.1.1.1
      Spoke1
      Local Tunnel IP: 10.1.1.3
      Remote Tunnel IP : 10.1.1.1

      then, the 2 Tunnels connected normally
      Spoke1 <--> Hub is Up Phase1 and Phase2
      Spoke2 <--> Hub is Up Phase1 and Phase2
      well-configured routing and rules

      Problem:
      Spokes traffic (Spoke1 &Spoke2) --> Hub is OK
      Hub traffic --> Spokes (Spoke1 &Spoke2) is NOT OK

      after a thorough diagnosis, the traffic (Spokes --> Hub) works because the Spokes know the IP address of the other end of the Tunnel, Spoke1 and Spoke2 know that IP 10.1.1.1 is their next hop
      but for the Hub, after the Tunnels have been set up, it can't find out that the next-hop of the Tunnel with Spoke1 is 10.1.1.2 and that the next-hop of the Tunnel with Spoke2 is 10.1.1.3

      Fortinet requires the following command to be added to the Phase1 on both sides of the Tunnel for the Hub and Spokes
      "set exchange-interface-ip enable"
      Fortinet's definition of this command is
      "The exchange-interface-ip option is enabled to allow the exchange of IPsec interface IP addresses. This allows a point to multipoint connection to the hub FortiGate."

      so as the Spokes don't send their IPSec Tunnel IP addresses, the Hub can't associate a next-hop for each Tunnel, and so the traffic (Hub --> Spokes) doesn't work.

      is there an equivalent command to "set exchange-interface-ip enable" on PfSense so that the PfSense Spoke sends its Tunnel IP Address to the Fortigate Hub when the IPSec Tunnel is established?

      Thanks

      1 Reply Last reply Reply Quote 0
      • O
        OhYeah 0
        last edited by

        On the Fortinet router make sure you have the necessary firewall policies and the source/destinations for each policy are set up correctly.

        Please also reference my post on this thread: https://forum.netgate.com/post/1169622

        The correct way to set up hub/spoke topology in multi-platform setting would be use 0.0.0.0/0 routing via IPSEC interfraces. However, this was broken in 24.03 and I'm afraid it will be broken in 2.8.0 CE as well, despite this functionality being there for years and working flawlessly.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.