On 3/20/06, Tim Cary <TDC at yesinc dot com> wrote:
> Hello-
>
> I need to define an additional firewall encryption policy over the same
> IPEC tunnel.  I am not sure how to do this in M0n0Wall.
>
> Details:
>
> We own a Fortigate 200A.  It accepts IPSEC connections, and has a
> feature where you can define a concentrator so that "spokes" of the VPN
> hub can communicate with each other.  I have three separate networks
> that need to talk to each other.  The hub is the Fortigate, as it is at
> the main site.  The spokes are the M0n0Wall's at the remote sites.  I
> need the spokes to talk to each other by way of the hub.
>
> 172.16.0.0/16 - HUB (Fortigate- main site)
> 172.18.0.0/16- Spoke1 (remote site)
> 172.19.0.0/16- Spoke2 (remote site)
>
> The spokes are on DSL connections, so I have to use e-mail address as
> the identifier.  Fortigate accepts these as dial-up connections.
>
> Spoke1 and Spoke2 each make a tunnel to the hub.  So, hub can ping
> spoke1, spoke1 can ping hub, and hub can ping spoke2, and spoke2 can
> ping hub.  What is missing here is the ability to ping spoke1 from
> spoke2, and ping spoke2 from spoke1.
>
> Fortigate tech support tells me everything is set right on the
> Fortigate.  But they say I need to define an additional firewall encrypt
> rule (but NOT another tunnel) on each spoke to talk to the other spoke's
> network.  How do I do that on the M0n0Wall?  This makes sense, but I
> just can't see how to do it.
>
> Any advice is appreciated.
>
> Thank You.
>

This was on the list recently. I think that the solution was to have
another tunnel. The Fortigate guy is probably confused.

sai