Description | This article describes how to configure an IPsec tunnel with Overlapping Subnets using vips. |
Scope | FortiGate. |
Solution |
This method is used as a workaround if changing the subnet is not possible. The real fix for this issue is to change the subnet on one side. Only use this method as a last resort. This article will describe two scenarios: Scenario 1: Overlapping subnets, subnet to subnet NAT for a single IPsec tunnel Scenario 2: Subnet to subnet NAT for two or more IPsec tunnels
Scenario 1: Overlapping subnets, subnet to subnet NAT for a single IPsec tunnel
Note that 1.1.1.0/24 and 2.2.2.0/24 subnets are used as examples. Use a private IP range for configuration.
The purpose of this VIP is to translate traffic coming from 1.1.1.0 to the internal subnet 10.10.10.0. For example, inbound traffic with destination 1.1.1.46 will be routed to 10.10.10.46
Otherwise, this can cause routing issues from Lan to Wan.
This route says that to reach 2.2.2.0/24, send the traffic over the IPSec tunnel.
Note: Considering not needing to use an IP Pool for SNAT. Like using specific subnets allowing both sites to communicate, it can use nat-source-vip enable, set srcintf-filter <the vpn interface> in the vip configuration in FortiGate (v7.0, and above). Then in the outgoing policy no need to use IPPOOL.
This route says that to reach 1.1.1.0/24, send the traffic over the IPsec tunnel.
The same goes for Computer 10.10.10.56 which wants to communicate with Computer 10.10.10.22. Computer 10.10.10.56 will need to send traffic to the new assigned subnet replacing 10.10.10.56 by 1.1.1.22.
If the issue persists, contact Fortinet Support for more assistance.
Scenario 2: Subnet to subnet NAT for two or more IPSec tunnels
It is a common requirement to have primary and backup tunnels to a location. When a subnet-to-subnet NAT is needed, it is required to be applied for both IPsec tunnels. The solution described below is scalable for one or more IPsec tunnels as needed.
Requirements: 1. FG1 LAN (192.168.10.0/24) should have internet access via a SNAT (PAT in this case) to the WAN interface IP address, 1.1.1.254. 2. Traffic initiated from the FG1 LAN towards either of the IPsec tunnels (to FG2 or FG3) should undergo a subnet-to-subnet SNAT (source NAT) from 192.168.10.0/24 to 10.200.200.0/24 such that when traffic reacheds FG2 or FG3, the source network is observed to be 10.200.200.0/24. 3. Traffic initiated from FG2 or FG3 LAN networks (192.168.20.0/24 and 192.168.30.0/24 respectively) towards 10.200.200.0/24 should reach FG1 and undergo DNAT (Destination NAT) to the FG1 LAN network 192.168.10.0/24.
Configuration: IPsec settings, policy and routes for tunneled networks:
FG1 configuration:
The most significant part of this scenario is having the 'srcintf-filter' configured on the VIP (CLI only as of FortiOS 7.4.5/7.6.0). This ensures that the internet bound traffic policy (step 2) works fine with standard NAT enabled. Without this setting, every Firewall policy not destined to the tunnels towards FG-2 and FG-3 that require a NAT for the FG1 LAN network will need an IP Pool for the intended NAT to take place - and if only an interface NAT is turned on, traffic for such policies will also be SNAT as per the subnet-to-subnet VIP created for the tunnel traffic. This is due to the order of precedence (for interface NAT vs DNAT vs IP Pool) as discussed on this article.
config firewall vip edit "sub-to-sub" set extip 10.200.200.1-10.200.200.254 set mappedip "192.168.10.1-192.168.10.254" set extintf "any" set srcintf-filter "to-FG2" "to-FG3" "1to6" next end
config firewall policy edit 28 set name "lan to WAN INET" set srcintf "port3" set dstintf "port4" set action accept set srcaddr "Obj-192.168.10.0/24" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "default" set logtraffic all set logtraffic-start enable set nat enable # <- PAT, to WAN interface IP address. next end
config firewall policy edit 9 set name "lan to FG2" set srcintf "port3" set dstintf "to-FG2" set action accept set srcaddr "Obj-192.168.10.0/24" set dstaddr "192.168.20.0/24" set schedule "always" set service "ALL" set logtraffic all set nat enable next end
config firewall policy edit 24 set name "lan to FG3" set srcintf "port3" set dstintf "to-FG3" set action accept set srcaddr "to3_local" set dstaddr "to3_remote" set schedule "always" set service "ALL" set nat enable next end
Although interface NAT is turned on here, the traffic is SNATed to 10.200.200.0/24 as per the VIP configuration since DNAT takes precedence over interface NAT as described in the article referenced on Step1.
config firewall policy edit 20 set name "from FG2" set srcintf "to-FG2" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "sub-to-sub" set schedule "always" set service "ALL" next end
config firewall policy edit 26 set name "from FG3" set srcintf "to-FG3" set dstintf "port3" set action accept set srcaddr "to3_remote" set dstaddr "sub-to-sub" set schedule "always" set service "ALL" next end
Verification:
Initiate traffic towards the internet (8.8.8.8, example), FG2 LAN and FG3 LAN and observe the NAT translations: Ping:
NAT Translations:
FG1 # get sys session li | grep 'PROTO\|8.8.8.8\|192.168.20\|192.168.30' PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT icmp 43 192.168.10.2:1 1.1.1.254:60418 8.8.8.8:8 - icmp 55 192.168.10.2:1 10.200.200.2:1 192.168.20.254:8 - icmp 57 192.168.10.2:1 10.200.200.2:1 192.168.30.30:8 -
When traffic is initiated from FG2 and FG3 LAN towards FG1 LAN PC:
FG1 # get sys session li | grep 'PROTO\|8.8.8.8\|192.168.20\|192.168.30' PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT icmp 42 192.168.20.254:3108 - 10.200.200.2:8 192.168.10.2:3108 icmp 59 192.168.30.30:3339 - 10.200.200.2:8 192.168.10.2:3339
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.