Skip to main content
rharms_tarc
rharms_tarc
New Member
February 7, 2025
Question

Multiple IPSEC VPNs with Same Remote Subnet

  • February 7, 2025
  • 2 replies
  • 1231 views

Trying to figure out the best way to handle setting up VPN tunnels for about 200 mass transit buses. 

 

Each bus has a Digi TX64 cellular router installed, and they are all configured to use the same internal subnet for the equipment on board the bus.  We're needing to enable communication between a couple of devices on each bus and on-prem servers located at our headquarters (perimeter is a Fortigate 300E). 

 

Since all of the buses are configured to use the same 192.168.x.x subnet on their internal network, obviously we're going to need to NAT that traffic somewhere along the way. Would like to minimize the configuration needed on each individual bus though.

 

The on-prem servers we need to hit are on a 10.x.x.x network, so that traffic shouldn't need to be NATed.

 

 

Oh, and we can't have static IPs on our cellular connections (long story), so will have to use Dynamic DNS for that end of the tunnel.

 

I've been studying the docs I can find online, and think I have a workable plan in mind, but thought I would reach out and see if anyone had any words of wisdom.  Thanks in advance. 

2 replies

Shashwati
Staff
Shashwati
Staff
February 7, 2025

Hello 

 

Please refer to the following document 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-establish-more-than-one-IPsec-tunnel-with/ta-p/240955

rharms_tarc
rharms_tarcAuthor
New Member
February 13, 2025

I looked through the document that Shashwati linked to, but I don't see that it applies to the problem I'm trying to solve. 

 

I've got different public IPs at the endpoints of the tunnels, that's not a problem.  The problem is that the internal IPs behind the remote-end (on bus) routers are duplicated.  Every bus uses 192.168.0.0/24 as its internal subnet and the specific devices located on each bus use the same IP (example Device1 on every bus sits at 192.168.0.4).  

 

So I'm needing to NAT that traffic somewhere along the way so that when it tries to talk to an on-prem server, each bus has a unique set of IPs (Device1 on Bus1 shows as 172.16.1.4 and Device1 on Bus2 shows as 172.16.2.4 and so on).

 

I've been able to get it to work setting up NAT on the remote (on bus) router so that the address change occurs before the traffic enters the tunnel.  However, that is going to be very hard to maintain across the fleet.  It would be preferable to have the address changes handled entirely on the near-side Fortigate, but I've not managed to make that work.  There is no need for devices on the buses to be able to talk among themselves, the traffic is strictly between the devices on the buses and the servers at headquarters. 

Terms & ConditionsAccessibility statement