Skip to main content
Peddy1976
Peddy1976
Visitor III
May 13, 2020
Question

Dial UP Ipsec client with overlapping subnet

  • May 13, 2020
  • 1 reply
  • 3020 views

Hi all,

 

I'm wondering if there's a way to handle multiple dial-up client with the same local subnet.

 

I have a VDOM that act as a HUB and many spokes connected through Dial-Up connection with XAUTH authentication. From the tests I made the fact to have multiple client with the same local subnet cause instability.

 

Many thanks,

Maurizio

 

 

    1 reply

    emnoc
    emnoc
    New Member
    May 13, 2020

    Fix your over-lap or SNAT over-lap. We do the later if we have traffic only originating ( from the dialup ) and have them SNAT into a specific address?

     

    e.g 

     

    ( remote dialup )                                                                                       (hub)

    SITEA  192.168.1.0/24 SNAT-192.0.2.1                                                        public-address-FGT@HUB

    SITEB  192.168.2.0/24  SNAT-192.0.2.2                                                       public-address-FGT@HUB

     

    You would then use the  192.0.2.1/32 in the phase2-subnet  which masks the 192.168.1.0/24. if the dialup are truly your "realm"  of management, I would fix  the overlap and never ever use a common 192.168.1.0/24 in a fortigate.

     

    So for each peer define a peer in the phase1-cfg and set the phase2 for that peer with the src/dst subnets

     

    e.g # siteA

     

    config vpn ipsec phase1-interface edit "sitea-dynamic"

    set type dynamic set interface "wan1" set ike-version 2 set keylife 20000 set authmethod signature set peertype peergrp set net-device disable set proposal aes128-sha1 set comments "SITEA" set dhgrp 14  set certificate "hubvpn" set peergrp "SITEA" set add-gw-route enable set dpd-retryinterval 60 next end

    config vpn ipsec phase2-interface edit "sitea" set phase1name "sitea-dynamic" set proposal aes128-sha1 set pfs disable set comments "SITEA SNAT 192.0.2.1 " set src-subnet 10.0.0.0 255.0.0.0 set dst-subnet 192.0.2.1 255.255.255.255 next

    end

     

    e.g # siteB

     

    config vpn ipsec phase1-interface edit "siteb-dynamic"

    set type dynamic set interface "wan1" set ike-version 2 set keylife 20000 set authmethod signature set peertype peergrp set net-device disable set proposal aes128-sha1 set comments "SITEA" set dhgrp 14  set certificate "hubvpn" set peergrp "SITEB" set add-gw-route enable set dpd-retryinterval 60 next end

    config vpn ipsec phase2-interface edit "siteb" set phase1name "siteb-dynamic" set proposal aes128-sha1 set pfs disable set comments "SITEB SNAT 192.0.2.2 " set src-subnet 10.0.0.0 255.0.0.0 set dst-subnet 192.0.2.2 255.255.255.255 next

    end

     

    inside peergrp with have our RSA_certificare CN, if your using  some thing else ( string fqdn email ) change the config to match the remote-site  remote-idenity and set the localid in the device 

     

    Ken Felix

    Terms & ConditionsAccessibility statement