Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zohaibm27
New Contributor

IPsec Over lapping

Hi Everyone, I have two fortiGate FG110C in HO and FG50B in Branch side.I have created IPsec route based tunnel Vpn successfully, but problem is that both side have same subset but different IPs HO side have assign ip series 192.168.1.1-80/24 and branch side IPs 192.168.1.90-200/24. I want access all PC' s which is place in branch site, so anyone can help or give me guide regarding IPsec route based VPN tunnel with over lapping. Thanks and Regards Zohaib Khan
1 REPLY 1
ede_pfau
Esteemed Contributor III

hi, this is the worst case when connecting 2 remote subnets. In principle you can destination NAT outgoing traffic (VIP) and source NAT incoming (IP pool) in one policy, and vice versa in the other. But that is a little bit clumsy. In your case, you could make your life easier with subnetting. Instead of a /24 network mask, you could use a /25 mask like 192.168.x.0/25 (HO) and 192.68.x.128/25 (remote). Note that you loose access to IPs .90-.127 on the branch side. And it takes some effort on the network clients as well. You can find a detailed example for double NATting in the FortiOS Handbook, and maybe in the Cookbook as well (both on docs.fortinet.com). There are several KB articles on this subject as well.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors