Skip to main content
jvictores1
jvictores1
New Member
April 8, 2026
Question

Site-to-site VPN with overlapping subnets

  • April 8, 2026
  • 1 reply
  • 131 views

Can Site-to-Site VPN between HQ and a Branch be implemented with overlapping subnets? In this case, four subnets are going to be used at each site. Therefore, I would like to know if overlapping works fine for more than one single subnet.

 

Thanks.

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 8, 2026

Depending on your definition of "overlapping works fine", yes or no.
Having the same subnet(s) on both sides doesn't break things for the other subnets to communicate each other. Obviously one side can't access the hosts in the overlapping subnets on the other end if the same IPs exist and reply to ARP requests from the local FGT.
If you have to be able to reach those overlapping IP devices on the other end, you nave to set up SNAT/DNAT like in this admin guide.
https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/426761/site-to-site-vpn-with-overlapping-subnets

But I would recommend changing subnets to avoid the conflict. Otherwise you are just pushing trouble caused by the conflict to a future time.

Toshi

jvictores1
jvictores1Author
New Member
April 8, 2026

Hi Toshi, yes, I am planning to set up SNAT/DNAT. My question is specifically about the amount of subnets that need to be trespass the tunnel. Documentation only shows one subnet overlapping. In my case, it would be four subnets and we don't want to change the addressing. Basically, we want to "extend" some of the HQ subnets to that branch.

 

Hope I have explained my scenario well.

Cheers.

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 8, 2026

The number of subnets shouldn't be a matter. You just need to have a matching number of intermediate subnets for SNAT/DNAT conversions.

Toshi

Terms & ConditionsAccessibility statement