Technical Tip: How to configure a local side device in remote subnet of IPsec tunnel

The purpose of this article is to explain the process in the scenario where it is wanted to configure devices with an IP in the remote subnet of the IPsec tunnel. 

For example:

Local subnet - 192.168.10.0/24 

Remote subnet- 192.168.20.0/24 

If one wants a few of the devices on the Local side to take an IP address from 192.168.20.0/24 IP address (which is remote), then it is possible to follow the following procedure.  

Topology was used to create this article.

192.168.20.0/24 ---(.1) (Remote-Fortigate) --- IPsec tunnel --- (Local-Fortigate) (.1)--- 192.168.10.0/24 --- Host (which is required to be in remote subnet 192.168.20.0/24 for instance. Printer).

Assuming the IPsec tunnel is already configured.

• First, assign static IP to the host ….192.168.20.5 is used in this example and the gateway is set to 192.168.10.1 (which is the IP of the port the device is connected with) of the local FortiGate.

• Then configure a static route on the local FortiGate where the host is connected. The device should have Internet access now.
  
  

• Now if this host wants to access something on Remote-fortigate or vice-versa need to configure proxy-arp on Local-fortigate for that.

config sys proxy-arp

    edit 1

        set ip 192.168.20.1

        set end-ip 192.168.20.10

end

 The last step is to configure a static route on Remote-fortigate with the interface set as tunnel_interface.

Both the FortiGates should be able to access the host 192.168.20.5 now and vice-versa.