Hello,
I need to create a VPN between our agency (using Fortigate 90E) and an external consulting company (using Cisco router). There would be no problem to create the S2S VPN between the two sites, except that our subnet is already known by the consulting company (192.168.1.0/24). So I can't create it for the moment.
Therefore, they asked me to set up a NAT or an equivalent technical solution for the VPN connection in order to be able to make appear our network like 192.168.7.0/24 or other, so that it does not come into conflict with the subnet 192.168.1.0/24 already known at external consulting company.
I joined a diagram to understand the desired topology.
I do not know if it's very complicated or very simple, I may be missing the technical solution but I wanted to know if you had any idea about this implementation on an UTM Fortigate 90E.
Thank you in advance.
Solved! Go to Solution.
Hi John,
There is a document to explain the concept of resolving overlapping subnet over IPSEC vpn.
http://cookbook.fortinet.com/vpn-overlapping-subnets/
Please take a look before we could move forward. Thanks!
Yes but keep in mind that this coobook doc will only apply to firmware up to 5.2.5.
Ich you have 5.4.x or later on your 90E it won't work out. In this case use http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1... instead! I also mentioned that in the commentary section on the kb doc when I ran into that issue and the author confirmed that.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi John,
There is a document to explain the concept of resolving overlapping subnet over IPSEC vpn.
http://cookbook.fortinet.com/vpn-overlapping-subnets/
Please take a look before we could move forward. Thanks!
Yes but keep in mind that this coobook doc will only apply to firmware up to 5.2.5.
Ich you have 5.4.x or later on your 90E it won't work out. In this case use http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1... instead! I also mentioned that in the commentary section on the kb doc when I ran into that issue and the author confirmed that.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hello,
Thank you for this solution. I better understand what was my problem. I set my router this afternoon in this direction and I'm waiting for return of the other company to find out if it works.
I'll keep you informed.
Thanks again.
John w.smith.
Hi Smith
kindly update how did you resolve this issue
I am new to this FortiGate right now I have doubt you have tried Site to Site VPN you have faced same subnet issue
why don't you try site to client VPN have to tried it means what kind of issue you have been faced let me know to educate myself
Thanks & Regards
Asus
Hello,
The problem is not yet solved. We have managed to create the VPN tunnel (VPN tunnel is UP) but the communication is established for the moment only in one direction (from them to us). The ping works well from them to us but no packets transferred from us to their direction.
I asked them for a pingable address to understand why it does not work.
Regards,
John.
Good to hear you got the VPN to work.
Do you have all required policies on both sides?
Oh and you have to use the VIP IPs to ping in _both_ directions.
Ping from there to you has to use your vip ip and if you want to ping them you have to use there vip ip.
All IPs in the subnet on each sides will be mapped to the corresponding vip subnet.
To use the image you attached before:
network_1 is 192.168.1.0/24 VIP'ed to 192.168.4.0/24
network_2 is 192.168.1.0/24 VIP'erd to 10.10.30.0/24
So if you want to ping 192.168.1.10 on network_1 from network_2 you have to ping 10.10.30.10 instead!
If you want to ping 192.168.1.10 on networtk_2 from network_1 you have to ping 192.168.4.10 instead!
You don't need to worry about the mapping...your vip on the FGT does that for you automagically ;)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
A quick test: Run a traceroute and see where the traffic goes.
The right way would be to sniff the tunnel port or run a debug flow trace.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hello,
Thank you all for your answers ! Indeed the VPN is working but the problem is no longer a problem of firewall rules I think. Our partner is trying to ping an IP address (1.16) that is on the same sub-network as ours (which exists on their side too). when they ping, it is not our 1.16 server (on our side) that responds, but the 1.16 on their sub-network 192.168.1.0/24 on their side.
I also launched a debug mode on this specific VPN but as the VPN is established, I do not necessarily encounter any error.
I asked them to be able to ping to their network or to perform a traceroute on a machine. I do not know if the problem comes from my UTM, their side (rules) or their configuration. I'm waiting for their return.
I put the picture already posted up to date.
Thank you in advance.
John
Yes that's exactly what it does.
They have to have vip on their side too like described in the document I mentioned.
And then if they want to ping something on your side they have to use the corresponding vip ip addresss.
E.g.:
if your net is vip'ed to 10.1.1.0/24 on their side and they want to ping 192.168.1.16 on your side they have to ping the vip ip which would then be 10.1.1.16 instead .
The same goes if they want to access anything on your side via ip-addresses.
hth
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.