IPSec VPN with proxy ARP for overlapped subnets (v3.0)
Article
| Introduction | This article describes how to create a VPN between hosts on two private networks that use the same subnet addresses. This is also called an overlapping subnet configuration. In FortiOS v2.80 this problem was resolved with IPSec virtual IP (VIP) addresses. See also the related article "IPSec VPN with virtual IP for overlapped subnets (v3.0)". In FortiOS v3.0, there are no IPSec VIPs. Instead, you create for the remote host a proxy ARP table entry and a static host route. This requires the use of an interface-based VPN, a new feature in FortiOS v3.0. |
| Components | The sample configuration uses FortiGate Antivirus Firewalls running FortiOS v3.00. |
| Network Diagram |  |
| Prerequisites | The configuration is based on the following assumptions
|
| Configuration: FortiGate_1 | config system interface edit "port1" set ip 192.168.4.199 255.255.255.0 set allowaccess ping https next edit "port2" set ip 64.114.95.202 255.255.255.128 next end config system proxy-arp edit 1 set interface "port1" set ip 192.168.4.1 next end config vpn ipsec phase1-interface edit "2fw2p1" set interface "port2" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set remote-gw 64.114.95.203 set psksecret 123456 next end config vpn ipsec phase2-interface edit "2fw2p2" set keepalive enable set pfs enable set phase1name "2fw2p1" set proposal 3des-sha1 3des-md5 set replay enable next end config firewall address edit "all" next edit "ipsecsrc" set subnet 192.168.4.0 255.255.255.0 next edit "ipsecdst" set subnet 192.168.4.0 255.255.255.0 next end config firewall policy edit 1 set srcintf "port1" set dstintf "2fw2p1" set srcaddr "ipsecsrc" set dstaddr "ipsecdst" set action accept set schedule "always" set service "ANY" next edit 2 set srcintf "2fw2p1" set dstintf "port1" set srcaddr "ipsecdst" set dstaddr "ipsecsrc" set action accept set schedule "always" set service "ANY" next end config router static edit 1 set device "port2" set gateway 64.114.95.254 next edit 2 set device "2fw2p1" set dst 192.168.4.1 255.255.255.255 next end |
| Configuration: FortiGate_2 | config system interface edit "port1" set ip 192.168.4.99 255.255.255.0 set allowaccess ping https next edit "port2" set ip 64.114.95.203 255.255.255.128 next end config system proxy-arp edit 1 set interface "port1" set ip 192.168.4.11 next end config vpn ipsec phase1-interface edit "2fw1p1" set interface "port2" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set remote-gw 64.114.95.202 set psksecret 123456 next end config vpn ipsec phase2-interface edit "2fw1p2" set keepalive enable set pfs enable set phase1name "2fw1p1" set proposal 3des-sha1 3des-md5 set replay enable next end config firewall address edit "all" next edit "ipsecsrc" set subnet 192.168.4.0 255.255.255.0 next edit "ipsecdst" set subnet 192.168.4.0 255.255.255.0 next end config firewall policy edit 1 set srcintf "port1" set dstintf "2fw1p1" set srcaddr "ipsecsrc" set dstaddr "ipsecdst" set action accept set schedule "always" set service "ANY" next edit 2 set srcintf "2fw1p1" set dstintf "port1" set srcaddr "ipsecdst" set dstaddr "ipsecsrc" set action accept set schedule "always" set service "ANY" next end config router static edit 1 set device "port2" set gateway 64.114.95.254 next edit 2 set device "2fw1p1" set dst 192.168.4.11 255.255.255.255 next end |
| Troubleshooting | diag deb enable – enable output on remote console diag deb app ike 2 – display IPsec IKE negotiates diag sniff packets – display packets coming in and out on interfaces diag ip route list - check the host routes in kernel |
Related Articles