Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kimrdk
New Contributor II

Conflicts with existing local subnet

Hi forum :)

 

My local Fortigate have a few different interfaces set up. I'm now trying to set up VPN connection between my firewall and another 3-party firewall which I don't have control over (unifi edgerouter lite).

 

Issue is that the other ends subnet overlaps with one of my local subnets.

 

I'm trying to set up the VPN between my "DMZ" interface which not overlaps with the other site. Only my LAN interfaces does, and that won't be used in this VPN connection.

 

I have seen https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Gtwy_Gtwy_Config/How_to_... but that's not exactly my situation.

 

Best Regards

Kim

5 REPLIES 5
kimrdk
New Contributor II

I've also found: https://forum.fortinet.com/tm.aspx?m=154954

But I may not be able to NAT anything at the other end.

I'll look into Policy routing, if there isn't any other way around this.

Toshi_Esumi
Esteemed Contributor III

The first option is to re-subnet either local or remote LAN to avoice the conflict, which is probably not an option.

 

The second option, which would be the best but might not be the easiest, is to ask the 3rd party on the other end to SNAT their overlapping source IPs/subnet. Otherwise, routing problem happens on the local end when you try routing into the tunnel while the destination exist locally. You don't need NAT on the local side since the remote end doesn't need to reach the destinations that are overlapping.

 

Although the above second option should be relatively easy to be implemented with any FWs, if it's absolutely not an option for political, financial, or whatever the reason is the second option is to separate DMZ into a vdom and set the tunnel from the DMZ vdom. Then you have to set up SNAT on the local lan vdom to avoid the routing conflict when DMZ needs to route to both tunnel destinations and the vdom-link to the local lan destinations.

 

 

kimrdk
New Contributor II

What about policy routing, can I configure all traffic from this one device on my local "DMZ" interface to the overlapping subnet, to go though the VPN tunnel?

Toshi_Esumi
Esteemed Contributor III

I haven't tried policy routes against locally connected routes. Wait for somebody else to chime in.

kimrdk
New Contributor II

I've also found: https://forum.fortinet.com/tm.aspx?m=154954

But I may not be able to NAT anything at the other end.

I'll look into Policy routing, if there isn't any other way around this.

Labels
Top Kudoed Authors