| Description | This article describes configuring Site-to-site IPSec VPN in Central SNAT mode with overlapping subnets. |
| Scope |
FortiGate 6.0 or above. |
| Solution |
Let's consider there are 2 sites (head office and branch) where the following configuration shows a site-to-site IPSec VPN based on the following criteria:
1) Route-based VPN.
2) Overlapping networks. Both sites have the same LAN subnet 192.168.1.0/24.
3) In the head office firewall, Central SNAT is configured.
4) In branch office firewall policy-based NAT is configured.
As there is an overlapping network (192.168.1.0/24), the 10.10.1.0/24 subnet will be used for the head office and 10.10.2.0/24 for the branch.
**************************************************************** Configure VPN in Head office firewall:
1) Create a new VPN connection (VPN-->IPSec Tunnels --> Create new).
2) Now configure the VPN. Here authentication is preshared kay. Remote IP is the WAN IP of the Branch office.
3) Create 2 static routes (Network-->Static Routes) one for remote subnet 10.10.2.0/24 and another for blackhole.
Static Route-1: Branch office subnet
Static Route-2: Blackhole
4) Create 2 Addresses (Policy & Object --> Addresses).
The first address (Head office original IP) for the subnet is 192.168.1.0/24 and the second is Branch office new subnet 10.10.2.0/24.
Address 1: Head office original IP.
Address 2: Branch office.
5) Create IP-Pool (Policy & Object --> IP Pool) for the head office's new NATTED subnet 10.10.1.0/24.
6) Create Virtual IP (Policy & Object --> DNAT & Virtual IPs).
7) Create 2 firewall policies (Policy & Object --> Firewall Policy); one for outbound (Head office to Branch) and another is inbound (from branch to head office).
Outbound Policy# Head office to Branch:
Inbound Policy# From Branch to Head office:
8 ) Now, finally create a Central SNAT policy (Policy & Object --> Central SNAT) for outbound traffic.
For inbound, The Virtual IP object 'Head-Office-New-IP-To-Original-IP' is created to perform DNAT, no need to add to the inbound policy.
***************************************************************** Configure VPN in Branch office firewall:
1) Create a new VPN connection (VPN-->IPSec Tunnels--> Create new).
2) Now configure the VPN. Here authentication is preshared key. Remote IP is the WAN IP of the Head office firewall.
3) Create 2 static routes (Network-->Static Routes) one for remote subnet 10.10.1.0/24 and another for blackhole.
Static Route-1# For Head office.
Static Route-2# For Blackhole.
4) Create 2 Addresses (Policy & Object --> Addresses).
The first address (Branch office original IP) for the subnet is 192.168.1.0/24 and the second is the Head office new subnet 10.10.1.0/24.
Address-1: Branch office original IP.
Address-2: Head office new IP.
5) Create IP-Pool (Policy & Object -->IP Pool) for the branch office new NATTED subnet 10.10.2.0/24.
6) Create Virtual IP (Policy & Object --> Virtual IPs).
7) Create 2 firewall policies (Policy & Object --> Firewall Policy) one for outbound (Branch to Head office) and another inbound (from head office to Branch office).
For outbound, NAT should enable but for inbound no, NAT is required.
Policy-1: Outbound (Branch to Head office)
Policy-1: Inbound (from Head office to Branch office).
*************************************************************** Test the configuration:
After successful completion of the configuration, both tunnels should be up:
From the Head office Test the PC (IP 192.168.1.11).
From the Branch office Test the PC (IP 192.168.1.22).
|
