Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mattjackson
New Contributor

Fortigate VPN with overlapping subnets - Remote site Internet Access over VPN

I have followed the guide to setup a site to site VPN with overlapping subnets but I need to get the Branch sites internet traffic to route back over the VPN between FortiGate's but then go out of another router on that network. 

Can anyone help me get this working as I cannot get the branch office Internet to work. 

 

This is the guide I followed https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/426761/site-to-site-vpn-with...

 

This is the configuration I have

 

Site 1 - HQ

WAN Router - 192.168.0.1

LAN  -192.168.0.0/24

WAN router has static route to point traffic for 10.2.2.0/24 to 192.168.0.11

 

Fortigate 80F - Connected via  WAN 1 - to LAN above IP'd 192.168.0.11

WAN2 IP'd- 192.168.1.129/25 and connected to layer 2 link to Branch site

SNAT setup to convert 192.168.0.0/24 to 10.1.1.0/24

 

Site 2 - Branch

Fortigate 30G

LAN - 192.168.0.0/24

SNAT Virtual Subnet - 10.2.2.0/24

WAN IP'd- 192.168.1.131/25 and connected to layer 2 link to HQ site

 

Testing

HQ Fortigate 80F can access internet via HQ WAN Router

Users on HQ LAN can access internet via HQ WAN router

Users on HQ LAN can access devices on Branch LAN via 10.2.2.x IP address

Users on Branch LAN can access devices on HQ LAN

Users on Branch LAN can reach the HQ WAN Router on 192.168.0.1

Users on Branch LAN cannot reach anything external e.g 8.8.8.8

 

2 REPLIES 2
funkylicious
SuperUser
SuperUser

So if I get this correct, you would like the users in Branch ( real net 192.168.0.0 /24 , NAT'ed to 10.2.2.0/24 ) to access the Internet via HQ ?

If so, you would need

- a default route towards HQ from Branch ( in Branch : 0.0.0.0/0 with next-hop 192.168.1.129 and in HQ a route back to 10.2.2.0/24 next-hop 192.168.1.131 ) 

- a firewall rule that NATs the traffic from local ( Branch ) to remote ( HQ ) into 10.2.2.0/24 IP Pool

- in HQ a firewall rule from 10.2.2.0/24 network , src interface VPN-Branch and destination interface WAN and destination address all with NAT enabled.

"jack of all trades, master of none"
"jack of all trades, master of none"
mattjackson
New Contributor

Thanks got it working now. I had the firewall policy set to remote original subnet to HQ virtual with NAT I changed this to remote original to all and its working now. 

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors