Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rafaelrsilver
New Contributor

Created on ‎10-27-2016 12:40 PM

IPSEC different subnet.

Hello guys,

I have a FortiGate 90D one IPSEC tunnel with a customer.

Tunel subio the two stages without problems, is connected.

however in the tunnel configuration, the customer asked me to set up, with the local subnet 172.16.201.120/29 and remote subnet  10.30.0.0/23. and my network and FortiGate this subnet in 10.220.0.0/22.

My doubt is how I do my LAN desktops, etc. access the customer network.

any help will help me a lot

thank you

5790
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-27-2016 03:02 PM

If you need both way access, you need to add your subnet to the local subnets in phase2 just like customer's. But if you need just one way from your subnet to the customer's remote subnet, you need to grab one customer's local IP and put it into IP Pool and set SNAT in a policy to pretend all of your devices are one of customer's local device. You might want to avoid IP conflict by somehow reserving the NAT IP not to be used by the customer.

Or use the combination; assign one IP the customer would never use and put that /32 IP in phase2, and then NAT your access to the remote side with that source IP. It's still one way though.

2568
0 Kudos
rafaelrsilver
New Contributor
In response to Toshi_Esumi

Created on ‎10-28-2016 07:17 AM

Hi Toshi,

 

Thank you for the prompt help (sorry for my english). 

 

yes, I did just that placed the local client subnet in tunnel configuration.

it is connected.

the IPSEC wizard made the policy below: https://drive.google.com/open?id=0Bzsu90fZ5xEeaHYxVHU1ZUU1T0U

 

I did not understand the part that you say I need "IP Pool and set SNAT"

when I try to access a link there client (10.30.0.48) port 80 or 8010 web

of the message (403 Forbidden: incorrect proxy service was requested)

thank you

 

 

 

 

 

 

2568
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to rafaelrsilver

Created on ‎10-28-2016 08:45 AM

With that way 10.0.30.x can access your subnet. No NAT.

For the 403 error, I don't exactly know what it means but I found another thread:

[link]https://forum.fortinet.com/tm.aspx?m=74396[/link]

2568
0 Kudos
rafaelrsilver
New Contributor
In response to Toshi_Esumi

Created on ‎10-28-2016 10:48 AM

Toshio,

 

you have an example of how I do this in the NAT Fortinet 90D?

2568
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to rafaelrsilver

Created on ‎10-28-2016 11:00 AM

You can go to KB and search "ippool" or "SNAT" to find some examples like below:

http://kb.fortinet.com/kb...ateId=0%200%2093972638

2568
0 Kudos
JakubP
New Contributor

Created on ‎11-02-2016 01:15 AM

Create static route to customer network through tunnel a create policy from lan to vpn must work

2568
0 Kudos
rafaelrsilver
New Contributor
In response to JakubP

Created on ‎11-03-2016 09:45 AM

thanks for answering.

 

creating ipsec tunnel with the customer, he created autimatico the static route to lan VPN with the policy.

however the problem is that my subnet is different from him in the tunnel.

 

my subnet (LAN) 10.220.0.1/22

 

the tunnel this way:

my network [10.220.0.0/22] -> local_subnet_customer [172.16.201.120/29] remote_subnet_customer [10.30.0.0/23]

 

I am unable to do this translation to my network to local_subnet_customer.

confome @toshiesumi told me, I saw several examples in Fortinet site, but without success yet.

2568
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.