Skip to main content
kimrdk
kimrdk
New Member
June 18, 2019
Question

Conflicts with existing local subnet

  • June 18, 2019
  • 2 replies
  • 17595 views

Hi forum :)

 

My local Fortigate have a few different interfaces set up. I'm now trying to set up VPN connection between my firewall and another 3-party firewall which I don't have control over (unifi edgerouter lite).

 

Issue is that the other ends subnet overlaps with one of my local subnets.

 

I'm trying to set up the VPN between my "DMZ" interface which not overlaps with the other site. Only my LAN interfaces does, and that won't be used in this VPN connection.

 

I have seen https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Gtwy_Gtwy_Config/How_to_Work_Overlapping_Subnets.htm but that's not exactly my situation.

 

Best Regards

Kim

2 replies

kimrdk
kimrdkAuthor
New Member
June 18, 2019

I've also found: https://forum.fortinet.com/tm.aspx?m=154954

But I may not be able to NAT anything at the other end.

I'll look into Policy routing, if there isn't any other way around this.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
June 18, 2019

The first option is to re-subnet either local or remote LAN to avoice the conflict, which is probably not an option.

 

The second option, which would be the best but might not be the easiest, is to ask the 3rd party on the other end to SNAT their overlapping source IPs/subnet. Otherwise, routing problem happens on the local end when you try routing into the tunnel while the destination exist locally. You don't need NAT on the local side since the remote end doesn't need to reach the destinations that are overlapping.

 

Although the above second option should be relatively easy to be implemented with any FWs, if it's absolutely not an option for political, financial, or whatever the reason is the second option is to separate DMZ into a vdom and set the tunnel from the DMZ vdom. Then you have to set up SNAT on the local lan vdom to avoid the routing conflict when DMZ needs to route to both tunnel destinations and the vdom-link to the local lan destinations.

 

 

kimrdk
kimrdkAuthor
New Member
June 19, 2019

What about policy routing, can I configure all traffic from this one device on my local "DMZ" interface to the overlapping subnet, to go though the VPN tunnel?

kimrdk
kimrdkAuthor
New Member
June 18, 2019

I've also found: https://forum.fortinet.com/tm.aspx?m=154954

But I may not be able to NAT anything at the other end.

I'll look into Policy routing, if there isn't any other way around this.

Terms & ConditionsAccessibility statement