Skip to main content
NKL
NKL
New Member
June 3, 2016
Question

IPSec VPN with overlapping subnets

  • June 3, 2016
  • 1 reply
  • 17317 views
Hi all, I'm trying to connect two sites through IPSec VPN, that are using the same ip subnet (let's say 192.168.100.0/24) for their local LAN. Both sites a running a FortiOS 5.2.7. The goal is that devices on Site1 can communicate with devices on Site2, although their ip subnets overlap. I'm aware that there are both a Fortinet-doc (http://docs.fortinet.com/...erlapping-subnets.pdf) and a cookbook recipe (http://cookbook.fortinet....-overlapping-subnets/) for that. Unfortunately, both don't seem to work or match my requirement. As for the doc, at the beginning, it sounds like the solution to my problem. But only very late, in "Results", it is explained that Site1 and 2 will actively have to communicate with a mapped ip range. And the cookbook recipe does not even seem to be complete at all, that is VIPs being created but never used in the recipe. Has anyone a working solution to my requirement and is willing to share his/her config with me?

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 3, 2016

    hi,

     

    I've read through the Cookbook recipe and it looks correct. Of course, you will have to create at least one policy from tunnel to LAN into which you insert the VIP as the destination address. No policy, no traffic. Seems to be so basic that Keith (the author) left it out.

     

    Staying with the diagram in the recipe, yes, you communicate with the other LAN using the 'fake' addresses - how else? If you use 192.168.1.x you address a local host; if you use 10.21.101.x (same x!!) you address the remote host with the same (hence, overlapping) address. In the remote location you address 10.31.101.x to contact a remote host.

     

    So, by using VIPs on both sides, you drop using the original address space (192.168.1.x) because it is ambiguous. The VIPs introduce new, distinct address spaces for both LANs. Configuring the local DNS will help your users a lot to cope with this.

      NKL
      NKLAuthor
      New Member
      June 3, 2016

      I still feel like there is something missing:

       

      If I understand correctly, the VIPs created in the cookbook have to be applied to the inbound policies for traffic leaving the tunnel in direction of the internal lan. So, what the VIPs are doing is translate a 10.x-address into a 192.x-address. I understand the concept.

       

      But obviously, before that, there should have happened another translation from 192.x-address to 10.x-address. I believe, there has to be another set of VIPs for outbound traffic from internal lan to tunnel. How else would the "source" Fortigate know that it should "snag" traffic, that is directed to a 192.x-address that is not in its site, and should send it over the tunnel?

        ede_pfau
        SuperUser
        ede_pfau
        SuperUser
        June 3, 2016

        If you address a remote host, you would use the translated 10.x address. The VIP should translate the traffic in the other direction automatically.

        Care to try it?

          Terms & ConditionsAccessibility statement