Hi,
I am trying to create "Overlapping subnets for a VPN tunnel" The VPN is UP, but there is no traffic flowing through Tunnel.
I have create Policies but when I checked the Route table, there was no Static Route created by the Wizard, I tried recreating the Tunnel still no Route... Created "Custom", "The remote Site behind NAT" etc. etc. Its not creating Static route.
I tried manually creating static routes still no traffic flow.
Remote LAN: 10.20.30.0/24
Nated IP: 100.100.100.100
Gateway : 70.70.70.70
Local LAN, 192.168.45.0/24
Any help/pointers will be appreciated
Thank you
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
you can refeere to this document:
To configure the IP Pool:
Hello @FortiG-User ,
Did you configure your tunnel phase 2 network with natted IP address?
Also, you can review this document. This document tells how can you configure IPsec with overlapping subnets.
Thank you for your reply..
Yes, Created with Remote natted IP address 100.100.100.100
The Tunnel is Up, but traffic is not routing.. if I do ping or tracert it.. it goes out of WAN1 to External IP's not going via Tunnel
Hello @FortiG-User ,
Can you create a static route like this?
Destination: 100.100.100.100/32 (if you have a bigger subnet, you can change this area with this subnet)
Interface: IPsec name
Thank you for your reply..
Created static route Destination 100.100.100.100/32 GW 0.0.0.0 Interface VPN_Tunnel
Still no reply to Ping.. 10.20.30.1 (this has ICMP enabled on it) or natted GW 100.100.100.100
Thank you
Hello @FortiG-User ,
Can you check traffic flow with this command?
We will understand with this command, whether your traffic goes through the ipsec tunnel or not.
diagnose sniffer packet any 'host 100.100.100.100' 4 a
After running this command can you start a ping to the destination?
Hi,
Thank you for your reply..
After executing the command diagnose sniffer packet any 'host 100.100.100.100' 4 a and pinging the IP...
Its going out Via WAN1...
The VPN tunnel is setup with WAN2
Thank you
Hello @FortiG-User ,
I was confused, I thought the remote site nat IP 100.100.100.100. You need to update your route with 10.20.30.0/24. After this can you run this command again?
Destination: 10.20.30.0/24
Interface: IPsec name
diagnose sniffer packet any 'host 10.20.30.x' 4 a ( x should be change with remote host address)
Created on 04-08-2024 02:55 AM Edited on 04-08-2024 02:59 AM
Hi,
if the remote IP is 10.20.30.1 you have to add static route to this subnet not for 100.100.100.100
if you NAT your local network with this adress you have to add static route like :
Destination 10.20.30.0/24 GW 0.0.0.0 Interface VPN_Tunnel
and in your policy source : 192.168.45.0/24 Destination 10.20.30.0/24 NAT : 100.100.100.100
Hi,
Thank you for your reply...
policy source : 192.168.45.0/24 Destination 10.20.30.0/24 NAT : 100.100.100.100
How to NAT via 100.100.100.100, in the Policy.. I am doing this via GUI
Thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.