Phase 2 Entries for IPSec Multi-Site Hub and Spoke

bkhiatt

I'm sorry I'm sure this is a frequent question, but I have been searching and can't seem to find the answer.
I'm new at all this and IPSec isn't my thing so to speak. There's got to be something basic I'm missing but for the life of me I can't see it.

I have 3 sites. A, Hub, and B.
I have IPSec working from A to Hub and B to Hub.
I can't get IPSec working from A to B through the Hub.
I've added the additional Phase 2 entries for this based on all the forum posts and documentation I can find, but its not working (routed IPSec isn't an option for me right now either).

Hub has a fixed WAN address, Spoke A and Spoke B have DHCP/Dynamic WAN addresses.
Hub:

• WAN=Fixed
• LAN=192.168.23.0/24
• IPSec to Spoke A
• P1: Fixed to 0.0.0.0 <--Works
• P2: 192.168.23.0/24 to 192.168.75.0/24 <--Works
• P2: 192.168.10.0/24 to 192.168.75.0/24 <--Not working
• IPSec to Spoke B
• P1: Fixed to 0.0.0.0 <--Works
• P2: 192.168.23.0/24 to 192.168.10.0/24 <--Works
• P2: 192.168.75.0/24 to 192.168.10.0/24 <--Not working

Spoke A:

• WAN=DHCP
• LAN=192.168.75.0/24
• IPSec to Hub
• P1: 0.0.0.0 to Fixed <--Works
• P2: 192.168.75.0/24 to 192.168.23.0/24 <--Works
• P2: 192.168.75.0/24 to 192.168.10.0/24 <--Not working

Spoke B:

• WAN=DHCP
• LAN=192.168.10.2/24
• IPSec
• P1: 0.0.0.0 to Fixed <<--Works
• P2: 192.168.10.0/24 to 192.168.23.0/24 <--Works
• P2: 192.168.10.0/24 to 192.168.75.0/24 <--Not working

Since its worth 1000 words, I've also attached a picture.

The firewall rules for IPSec are set to any/any for all 3 firewalls. But since the P2 links aren't going active I'm not sure I have a firewall problem (but who knows).
All 3 firewalls are SG-3100's running 24.03

I found the logs, but I can't make sense of them.
Can anyone see what I am doing wrong here?

All help appreciated and thanks in advance!
--Brian

viragomann

@bkhiatt
Are all phase 2 shown up as connected in Status > IPSec?

Please post Status > IPsec > SPDs of all three sites.