Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mark_Oakton
Contributor

Layer 2 tunnel between 2 Fortigates - Same LAN IP range

Hi,

I am planning a migration, old site to new, both have fortigate and a separate internet connection.

I want to have the LAN range the same on both sides, e.g. 192.168.1.1/24 in site 1, 192.168.1.2/24 on site 2 - then i can test connectivity and routing

 

I have read up on gre or gre over ipsec but can anyone let me know what method actually works?

Mark

Infosec Partners
Infosec Partners
3 REPLIES 3
Rewanta_FTNT
Staff
Staff

Hi

You can vpn between the overlapping network using the static nat or pat. You may find doc-

 

http://docs.fortinet.com/d/fortigate-ipsec-vpn-1

page - 71 

How to work with overlapping subnets

 

there is no layer2 tunnel concept in FGT like  MPLS l2 vpn.  IPsec is L3 tunnel. 

 

Rewanta

 

 

Mark_Oakton
Contributor

Rewanta,

 

Thanks for the reply, will that work with exactly the same class c subnet on both sides, just with different gateways.  How will machines on each side know to go to the default gateway? If they send out a packet on the local lan (layer 2 to mac address) how will that get picked up by the firewall and sent up the tunnel?

 

Mark

Infosec Partners
Infosec Partners
Rewanta_FTNT
Staff
Staff

Hi,

 

I think you didn't read the document. 

let me explain-

Overlapped network lets say is X on site1 and site2.  X will be natted statically to Y on site1 and Z on the site2. So when Site1 access the site2, site1 hits the Z network, and Site1 firewall will nat the X to Y before they are encrypted to ipsec tunnel and Site1 firewall knows where the Z network is located, when packets are reached to site2 LAN , source will Y, destination will be Z. Now Site2 will dnat the Z to X, leave the Y as it is, when the packet finally reaches to Site2, source Y, destination is X, problem solved!!! When packet returns from site2, source is X, destination is Y. Now the X to snat'ed to Z, leave Y as it was as its not site2 nat job. When packets are reached to site1, source is Z, destination is Y, now Y is dnat'ed to X, leave source as it is. When the final packets are reached to site1 LAN, source is Z, destination is X, problem solved. in fact, site1 and site2 never know where is nat happening, they just dont know about overlapping network even exist on either side.

As you see, there is no mac, arp issue. 

If you perform the network to network nat, ip translation will happen this way-

192.168.1.1/24(overlapped network) -->172.16.1.1/24  (nat pool) 

 

I suggest you go through the document for the config assistance.

 

Rewanta

 

 

 

Labels
Top Kudoed Authors