Considering you have the IPSec tunnels up and running, that's half the battle, the other half is getting your Fortinet HQ to act as an Internet transport "between" hubs.
With the Forinet you can use either the Policy-Based or Route-Based VPN to enable communication between the spokes.
For a Policy-Based hub-and-spoke VPN, you define a concentrator to enable communication between the spokes.
To define the VPN concentrator
1. At the hub, go to VPN > IPsec > Concentrator and select Create New.
2. In the Concentrator Name field, type a name to identify the concentrator.
3. From the Available Tunnels list, select a VPN tunnel and then select the right-pointing arrow.
4. Repeat Step 3 until all of the tunnels associated with the spokes are included in the concentrator.
5. Select OK.
For a Route-Based hub-and-spoke VPN allowing communication between ONLY two spokes.
• Create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.
To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2.
1. Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see “Defining policy addresses” on page 59.
2. Go to Policy & Objects > Policy > IPv4 and select Create New.
3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
4. Enter the settings and select OK.
"Incoming Interface" Select the IPsec interface that connects to Spoke 1.
"Source Address" Select the address of the private network behind Spoke 1.
"Outgoing Interface" Select the IPsec interface that connects to Spoke 2.
"Destination Address" Select the address of the private network behind Spoke 2.
"action" Select ACCEPT.
"Enable NAT" Enable.
Best Answer
They originate on the outside interface. This is one of my NAT entries for an international site connected via L2L:
ISPA -> translates to outside for most people, 0 security interface
Corporate -> object-group network containing the local/MPLS subnets
France -> object-group network containing the remote site subnets
This applies to the ACLs as well. However you will need to use:
Otherwise the VPN traffic will bypass the ACLs.
However you can use a VPN filter instead of placing ACLs on the interface and avoid turning off the
sys opt connection permit-vpn
option.Example may be found here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs