Route multiple subnets through IPSEC VPN tunnel w/ only one local network configured

Forum|Forum|9 years ago
June 13, 2016
1 reply
5306 views

Hello,

I have a Fortigate 100D w/ an IPSEC tunnel to a vendor. Currently one local network is configured (10.x.x.x/24). We are planning on adding a wireless subnet w/ different IP scheme of 192.x.x.x/24 which needs access across the VPN. For various reasons the vendor on the other end cannot add this new network as a remote network on their Cisco endpoint.

The IPSEC tunnel is interface-based. Would it be as simple as to use the 'set nat-ip' option in the wireless --> VPN policy to NAT the 192.x.x.x IP to an IP on the existing (10.x.x.x) network? If so does it matter if this IP is already being used by something else (e.g. the firewall's interface IP on that subnet, or a PC on the 10.x.x.x network?)

5.2

ede_pfau

SuperUser

To apply source NAT (which is needed for this), create an IP pool, and specify NAT with IP pool in the policy WiFi -> tunnel.

This address should not be used elsewhere in the 10.x.x.x subnet to be unambiguous. The remote side cannot tell whether traffic is coming from an original 10.x.x.x host or a NATted WiFi host then, so no changes to the Quick Mode settings of your VPN.

The 'set-nat-ip' option is IMHO irrelevant here (context is policy-based VPN).

rwpatterson

New Member

ede_pfau wrote:
This address should not be used elsewhere in the 10.x.x.x subnet to be unambiguous.

This point cannot be stressed highly enough. Once an address is defined in an IP pool, it cannot be used anywhere else on that FGT unit (Except for NATting an outbound policy or VPN tunnel). Even if simply sitting unused in an IP pool, that IP/subnet will turn into a black hole. All references to it in policies and such will cease to function, so be careful with how wide you make this IP pool. A single IP in the range is usually enough to get the job done.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded