On 3/20/06, Tim Cary <TDC at yesinc dot com> wrote:
> I need to define an additional firewall encryption policy over the same
> IPEC tunnel. I am not sure how to do this in M0n0Wall.
> We own a Fortigate 200A. It accepts IPSEC connections, and has a
> feature where you can define a concentrator so that "spokes" of the VPN
> hub can communicate with each other. I have three separate networks
> that need to talk to each other. The hub is the Fortigate, as it is at
> the main site. The spokes are the M0n0Wall's at the remote sites. I
> need the spokes to talk to each other by way of the hub.
> 172.16.0.0/16 - HUB (Fortigate- main site)
> 172.18.0.0/16- Spoke1 (remote site)
> 172.19.0.0/16- Spoke2 (remote site)
> The spokes are on DSL connections, so I have to use e-mail address as
> the identifier. Fortigate accepts these as dial-up connections.
> Spoke1 and Spoke2 each make a tunnel to the hub. So, hub can ping
> spoke1, spoke1 can ping hub, and hub can ping spoke2, and spoke2 can
> ping hub. What is missing here is the ability to ping spoke1 from
> spoke2, and ping spoke2 from spoke1.
> Fortigate tech support tells me everything is set right on the
> Fortigate. But they say I need to define an additional firewall encrypt
> rule (but NOT another tunnel) on each spoke to talk to the other spoke's
> network. How do I do that on the M0n0Wall? This makes sense, but I
> just can't see how to do it.
> Any advice is appreciated.
> Thank You.
This was on the list recently. I think that the solution was to have
another tunnel. The Fortigate guy is probably confused.