Site-to-site VPN

Forum|Forum|8 months ago
September 16, 2025
3 replies
426 views

We are doing evaluation of cloud DR solutions.

one of the recommendation is to create same subnet/same ip address in the cloud DR so that in the event of DR, we can swing over to cloud once local data centre is confirm not accessible.

Question, can we do ipsec tunnel with same local and remote address in the phase 2 selectors?

eg. local address - 172.16.0.0/24 and remote address as 172.16.0.0/24.

FortiGate

owen911

Visitor III

Hi,

FortiGate do have this solution but is tedious
refer to link : https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/426761/site-to-site-vpn-with-overlapping-subnets

Toshi_Esumi

SuperUser

I would set up like BGP with both primary datacenter and DR site over IPsec then control which direction to go to for the subnet with local preference. That's what we do for our customers who require a DR location/cloud. So the failover/failback would be automatic.

Toshi

Toshi_Esumi

SuperUser

It's possible doing it with static routes with either admin distance or priority difference. But to failover and failback automatically, you have to set up a detection mechanism like link-monitor to the pimary datacenter to remove the higher preference static routes when it becomes unreachable. Less elegant.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded