Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rafaelrsilver
New Contributor

IPSEC different subnet.

Hello guys,

I have a FortiGate 90D one IPSEC tunnel with a customer.

Tunel subio the two stages without problems, is connected.

however in the tunnel configuration, the customer asked me to set up, with the local subnet 172.16.201.120/29 and remote subnet  10.30.0.0/23. and my network and FortiGate this subnet in 10.220.0.0/22.

My doubt is how I do my LAN desktops, etc. access the customer network.

any help will help me a lot

thank you

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

If you need both way access, you need to add your subnet to the local subnets in phase2 just like customer's. But if you need just one way from your subnet to the customer's remote subnet, you need to grab one customer's local IP and put it into IP Pool and set SNAT in a policy to pretend all of your devices are one of customer's local device. You might want to avoid IP conflict by somehow reserving the NAT IP not to be used by the customer.

Or use the combination; assign one IP the customer would never use and put that /32 IP in phase2, and then NAT your access to the remote side with that source IP. It's still one way though.

rafaelrsilver

Hi Toshi,

 

Thank you for the prompt help (sorry for my english). 

 

yes, I did just that placed the local client subnet in tunnel configuration.

it is connected.

the IPSEC wizard made the policy below: https://drive.google.com/open?id=0Bzsu90fZ5xEeaHYxVHU1ZUU1T0U

 

I did not understand the part that you say I need "IP Pool and set SNAT"

when I try to access a link there client (10.30.0.48) port 80 or 8010 web

of the message (403 Forbidden: incorrect proxy service was requested)

thank you

 

 

 

 

 

 

Toshi_Esumi
Esteemed Contributor III

With that way 10.0.30.x can access your subnet. No NAT.

For the 403 error, I don't exactly know what it means but I found another thread:

[link]https://forum.fortinet.com/tm.aspx?m=74396[/link]

rafaelrsilver

Toshio,

 

you have an example of how I do this in the NAT Fortinet 90D?

Toshi_Esumi
Esteemed Contributor III

You can go to KB and search "ippool" or "SNAT" to find some examples like below:

http://kb.fortinet.com/kb...ateId=0%200%2093972638

JakubP
New Contributor

Create static route to customer network through tunnel a create policy from lan to vpn must work

rafaelrsilver

thanks for answering.

 

creating ipsec tunnel with the customer, he created autimatico the static route to lan VPN with the policy.

however the problem is that my subnet is different from him in the tunnel.

 

my subnet (LAN) 10.220.0.1/22

 

the tunnel this way:

my network [10.220.0.0/22] -> local_subnet_customer [172.16.201.120/29] remote_subnet_customer [10.30.0.0/23]

 

I am unable to do this translation to my network to local_subnet_customer.

confome @toshiesumi told me, I saw several examples in Fortinet site, but without success yet.

Labels
Top Kudoed Authors