Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSEC different subnet.

Hello guys,

I have a FortiGate 90D one IPSEC tunnel with a customer.

Tunel subio the two stages without problems, is connected.

however in the tunnel configuration, the customer asked me to set up, with the local subnet and remote subnet and my network and FortiGate this subnet in

My doubt is how I do my LAN desktops, etc. access the customer network.

any help will help me a lot

thank you


If you need both way access, you need to add your subnet to the local subnets in phase2 just like customer's. But if you need just one way from your subnet to the customer's remote subnet, you need to grab one customer's local IP and put it into IP Pool and set SNAT in a policy to pretend all of your devices are one of customer's local device. You might want to avoid IP conflict by somehow reserving the NAT IP not to be used by the customer.

Or use the combination; assign one IP the customer would never use and put that /32 IP in phase2, and then NAT your access to the remote side with that source IP. It's still one way though.


Hi Toshi,


Thank you for the prompt help (sorry for my english). 


yes, I did just that placed the local client subnet in tunnel configuration.

it is connected.

the IPSEC wizard made the policy below:


I did not understand the part that you say I need "IP Pool and set SNAT"

when I try to access a link there client ( port 80 or 8010 web

of the message (403 Forbidden: incorrect proxy service was requested)

thank you








With that way 10.0.30.x can access your subnet. No NAT.

For the 403 error, I don't exactly know what it means but I found another thread:





you have an example of how I do this in the NAT Fortinet 90D?


You can go to KB and search "ippool" or "SNAT" to find some examples like below:

New Contributor

Create static route to customer network through tunnel a create policy from lan to vpn must work


thanks for answering.


creating ipsec tunnel with the customer, he created autimatico the static route to lan VPN with the policy.

however the problem is that my subnet is different from him in the tunnel.


my subnet (LAN)


the tunnel this way:

my network [] -> local_subnet_customer [] remote_subnet_customer []


I am unable to do this translation to my network to local_subnet_customer.

confome @toshiesumi told me, I saw several examples in Fortinet site, but without success yet.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors