Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnwillsmith
New Contributor

Fortigate 90E / Virtual network ?

Hello,

I need to create a VPN between our agency (using Fortigate 90E) and an external consulting company (using Cisco router). There would be no problem to create the S2S VPN between the two sites, except that our subnet is already known by the consulting company (192.168.1.0/24). So I can't create it for the moment.

Therefore, they asked me to set up a NAT or an equivalent technical solution for the VPN connection in order to be able to make appear our network like 192.168.7.0/24 or other, so that it does not come into conflict with the subnet 192.168.1.0/24 already known at external consulting company.  

 

I joined a diagram to understand the desired topology.

I do not know if it's very complicated or very simple, I may be missing the technical solution but I wanted to know if you had any idea about this implementation on an UTM Fortigate 90E.

 

Thank you in advance.

2 Solutions
ericli_FTNT
Staff
Staff

Hi John,

 

There is a document to explain the concept of resolving overlapping subnet over IPSEC vpn.

 

http://cookbook.fortinet.com/vpn-overlapping-subnets/

 

Please take a look before we could move forward. Thanks!

View solution in original post

sw2090

Yes but keep in mind that this coobook doc will only apply to firmware up to 5.2.5.

Ich you have 5.4.x or later on your 90E it won't work out. In this case use http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1... instead! I also mentioned that in the commentary section on the kb doc when I ran into that issue and the author confirmed that.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
9 REPLIES 9
ericli_FTNT
Staff
Staff

Hi John,

 

There is a document to explain the concept of resolving overlapping subnet over IPSEC vpn.

 

http://cookbook.fortinet.com/vpn-overlapping-subnets/

 

Please take a look before we could move forward. Thanks!

sw2090

Yes but keep in mind that this coobook doc will only apply to firmware up to 5.2.5.

Ich you have 5.4.x or later on your 90E it won't work out. In this case use http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1... instead! I also mentioned that in the commentary section on the kb doc when I ran into that issue and the author confirmed that.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
johnwillsmith

Hello,

 

Thank you for this solution. I better understand what was my problem. I set my router this afternoon in this direction and I'm waiting for return of the other company to find out if it works.

I'll keep you informed.

Thanks again.

 

John w.smith.

Asus

Hi Smith

 

kindly update how did you resolve this issue 

I am new to this FortiGate right now I have doubt you have tried Site to Site VPN you have faced same subnet issue  

why don't you try site to client VPN have to tried it means what kind of issue you have been faced let me know to educate myself  

Thanks & Regards

Asus

Thanks & Regards Asus
johnwillsmith

Hello,

The problem is not yet solved. We have managed to create the VPN tunnel (VPN tunnel is UP) but the communication is established for the moment only in one direction (from them to us). The ping works well from them to us but no packets transferred from us to their direction.

I asked them for a pingable address to understand why it does not work.

Regards,

John.

sw2090

Good to hear you got the VPN to work.

 

Do you have all required policies on both sides?

Oh and you have to use the VIP IPs to ping in _both_ directions.

Ping from there to you has to use your vip ip and if you want to ping them you have to use there vip ip.

All IPs in the subnet on each sides will be mapped to the corresponding vip subnet.

 

To use the image you attached before:

 

network_1 is 192.168.1.0/24 VIP'ed to 192.168.4.0/24

network_2 is 192.168.1.0/24 VIP'erd to 10.10.30.0/24

 

So if you want to ping 192.168.1.10 on network_1 from network_2 you have to ping 10.10.30.10 instead!

If you want to ping 192.168.1.10 on networtk_2 from network_1 you have to ping 192.168.4.10 instead!

 

You don't need to worry about the mapping...your vip on the FGT does that for you automagically ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
rwpatterson
Valued Contributor III

A quick test: Run a traceroute and see where the traffic goes.

 

The right way would be to sniff the tunnel port or run a debug flow trace.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
johnwillsmith
New Contributor

Hello,

Thank you all for your answers ! Indeed the VPN is working but the problem is no longer a problem of firewall rules I think. Our partner is trying to ping an IP address (1.16) that is on the same sub-network as ours (which exists on their side too). when they ping, it is not our 1.16 server (on our side) that responds, but the 1.16 on their sub-network 192.168.1.0/24 on their side.

I also launched a debug mode on this specific VPN but as the VPN is established, I do not necessarily encounter any error.

I asked them to be able to ping to their network or to perform a traceroute on a machine. I do not know if the problem comes from my UTM, their side (rules) or their configuration. I'm waiting for their return.

I put the picture already posted up to date.

 

Thank you in advance.

 

John

 

sw2090

Yes that's exactly what it does.

They have to have vip on their side too like described in the document I mentioned.

And then if they want to ping something on your side they have to use the corresponding vip ip addresss.

 

E.g.:

 

if your net is vip'ed to 10.1.1.0/24 on their side and they want to ping 192.168.1.16 on your side they have to ping the vip ip which would then be 10.1.1.16 instead . 

The same goes if they want to access anything on your side via ip-addresses. 

 

hth

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors