Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Raghu_Kumar
Staff
Staff

Created on ā€Ž08-24-2024 06:11 AM Edited on ā€Ž08-21-2025 03:51 AM By Community Manager

Article Id 336029

Technical Tip: Configuring IPsec VPN with NAT on FortiGate to Handle Overlapping Subnets between SITE-B and SITE-A

Description This article describes how to configure an IPsec VPN between two FortiGate devices where traffic coming from SITE-B which should be NATed. The traffic from SITE-B must be NATed because SITE-B and SITE-C use the same subnet, and it is desired to avoid conflicts when connecting to a server at SITE-A.
Scope FortiGate.
Solution

To configure the IPsec VPN between SITE-B and SITE-A, where the traffic from SITE-B is NATed, follow these steps:

 

  • Create the IPsec VPN Tunnel on SITE-B and SITE-A:
    • Configure the VPN tunnel on both FortiGate devices (SITE-A and SITE-B) as done for any site-to-site VPN connection.
    • Ensure that the tunnel interfaces are correctly set up and that the phase 1 and phase 2 configurations match between both sites.

  • Configure the IPv4 Policy on SITE-B:
    • Navigate to Policy & Objects -> Firewall Policy on SITE-B.
    • Create a new IPv4 policy for the traffic that should be sent through the VPN tunnel to SITE-A.
    • In the policy, enable NAT and select an appropriate IP Pool. This will NAT the traffic coming from SITE-B to an IP address or range that does not conflict with SITE-C.
    • Ensure that the IP Pool is correctly configured with an IP address or range that is unique and does not overlap with any subnets used by SITE-C.

  • Create the IP Pool on SITE-B:
    • Navigate to Policy & Objects -> IP Pools.
    • Create a new IP Pool with the IP address range that should be used for NATing the traffic from SITE-B.
    • Assign this IP Pool to the IPv4 policy created in the previous step.

  • Configure the IPv4 Policy on SITE-A:
    • On SITE-A, ensure that there is a corresponding IPv4 policy to accept traffic from the NATed IP addresses (from SITE-B) and route it to the server located at SITE-A.

 

Site A subnet: 192.168.10.0/24.

Actual Site B subnet: 192.168.20.0/24, which will be NATed to 172.16.20.0/24.

 

In this scenario, the Phase 2 configuration on Site B will be:

Local Address: 172.16.20.0/24.

Remote Address: 192.168.10.0/24.

 

And the phase 2 configuration on site A will be:

Local Address: 192.168.10.0/24.

Remote Address: 172.16.20.0/24.

 

  • Verify the Configuration:
    • Test the VPN connection to ensure that traffic from SITE-B is correctly NATed and that users at SITE-B can access the server at SITE-A without any issues.
    • Monitor the traffic logs to ensure that there are no conflicts with SITE-Cā€™s subnet.

Diagram Example:

Scenario:

  • SITE-A Subnet: 192.168.10.0/24 (Server IP: 192.168.10.100).
  • SITE-B Subnet: 192.168.20.0/24 (conflicts with SITE-C).
  • NAT IP Pool on SITE-B: 172.16.20.0/24.
  • VPN Tunnel: Secure connection between SITE-A and SITE-B.

 

kb.PNG

 

Traffic Flow:

  1. From SITE-B: Traffic from the subnet 192.168.20.0/24 is NATed to 172.16.20.0/24 when it passes through FortiGate-B.
  2. Through VPN Tunnel: The NATed traffic (172.16.20.0/24) passes securely through the IPsec VPN tunnel.
  3. To SITE-A: Traffic reaches SITE-A's server (192.168.10.100) without conflicts.

 

Related article:

Technical Tip: How to configure an IPsec tunnel with Overlapping Subnets using VIPs 
8096
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.