PfSense 2.2.4 to Fortigate 200D



  • Good day,

    actually, I have a Fortigate 100D (at home), connected to a 200D (at work).

    As attached, the setting of each Ipsec tunnel.

    My problem reside with the part in yellow.

    On the Fortigate, the local address and Remote are 0.0.0.0/0.0.0.0

    I have OSPF over that because my main site where I connect is the main hub for 8 others tunnels.

    But.. on pfSense, I can't set the local and remote as 0.0.0.0/0.0.0.0.

    so what can i do ?

    Thanks





  • That's route-based IPsec rather than policy based. We don't have support at this time for that type of setup. Fortigate's implementation there often isn't interoperable with third party devices.



  • Ok

    I can recreate the policy as a policy based.. but will I be able to use or do a rule so I can access all the sites connected to the main one?



  • Sure, as long as you have matching P2s for them all.



  • So,

    my main site (200d) have 192.168.4.x and 172.16.1.x.. So I will create P2 for them..

    All the other sites, that are connected to that "hub", are 192.168.2.x 3.x…

    So I create P2 for all of them, under my p1 connection to the main one ?



  • Correct, yeah.



  • Good day,

    so, it should look like I did ?

    Thanks




  • Yes, looks correct.



  • Thanks
    I will do the same on the 200D tonight (the reverse)

    i will then try and let you know

    thanks



  • Hi,

    It worked. I'm now able to reach all my work lan, and from any site i'm able to reach my lan..

    But.. there is one thing.. and I think it's pfsense that block it.

    From any router inside my work lan, i cannot reach any of the ip's on my home lan (10.35.1.x) which is my pfsense box.

    I'm trying to figure out.. it seem pfsense block that.. but how can i find it?

    But, from pfsense, i can ping/reach any router/ip's anywhere.

    Any idea?








  • Also.. from home, I can RDP anywhere..

    BUT, from work, i can't RDP to my home computer.. I'm getting conection error..



  • You're not blocking anything, assuming it's sourced from one of the listed networks and destined to your LAN subnet. Probably host firewall on your Windows machine, assuming the traffic is being let out from the work side of the VPN.



  • Ithere is no firewall on the host..

    If i put back my original fortigate it word



  • Packet capture on the IPsec interface, is it getting there? If so, switch to LAN, it getting there?