Skip to main content
WalterW
WalterW
New Member
December 13, 2021
Question

Overlapping remote subnets on two vpn tunnels

  • December 13, 2021
  • 2 replies
  • 2258 views

Hi,

 

it is a well known problem, we have Fortigate on AWS and have to connect to two different customers by VPN with overlapping remote subnets on their side:

 

Unbenanntes Diagramm.png

Let's say it is not possible to do NAT on the customer firewalls. There are two scenarios:

 

1. TCP connections established from customer 1/2 server to AWS server

2. TCP connections established from AWS server to customer 1/2 server

 

Question #1:

Let's assume we would implement SNAT on the Fortigate to cover scenario 1, would the return traffic automatically chose the correct tunnel (from connection table), or will the routing table be consulted to find the tunnel interface for return traffic? I believe the latter is the case, so the SNAT would not help in this case.

 

Question #2:

I know there is a technical article about how to solve this with VRF and VDOM on the Fortigate, but unfortunately we have on-demand license (not BYOL), so another VDOM is not available on the Fortigate.

Is there any way to solve this without an additional VDOM?

    2 replies

    WalterW
    WalterWAuthor
    New Member
    December 14, 2021

    No VxLAN is not a solution, the firewalls on customer side are 3rd party products and we have to keep the configuration as straightforward as possible.

    Also there is no access customer 1 <-> customer 2 required. Only connections between the customer servers and AWS server. From my diagram it might even happen that both customers have a server with the same ip address (although very unlikely).

    Terms & ConditionsCookie settingsAccessibility statement