Hi,
I am planning a migration, old site to new, both have fortigate and a separate internet connection.
I want to have the LAN range the same on both sides, e.g. 192.168.1.1/24 in site 1, 192.168.1.2/24 on site 2 - then i can test connectivity and routing
I have read up on gre or gre over ipsec but can anyone let me know what method actually works?
Mark
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
You can vpn between the overlapping network using the static nat or pat. You may find doc-
http://docs.fortinet.com/d/fortigate-ipsec-vpn-1
page - 71
How to work with overlapping subnets
there is no layer2 tunnel concept in FGT like MPLS l2 vpn. IPsec is L3 tunnel.
Rewanta
Rewanta,
Thanks for the reply, will that work with exactly the same class c subnet on both sides, just with different gateways. How will machines on each side know to go to the default gateway? If they send out a packet on the local lan (layer 2 to mac address) how will that get picked up by the firewall and sent up the tunnel?
Mark
Hi,
I think you didn't read the document.
let me explain-
Overlapped network lets say is X on site1 and site2. X will be natted statically to Y on site1 and Z on the site2. So when Site1 access the site2, site1 hits the Z network, and Site1 firewall will nat the X to Y before they are encrypted to ipsec tunnel and Site1 firewall knows where the Z network is located, when packets are reached to site2 LAN , source will Y, destination will be Z. Now Site2 will dnat the Z to X, leave the Y as it is, when the packet finally reaches to Site2, source Y, destination is X, problem solved!!! When packet returns from site2, source is X, destination is Y. Now the X to snat'ed to Z, leave Y as it was as its not site2 nat job. When packets are reached to site1, source is Z, destination is Y, now Y is dnat'ed to X, leave source as it is. When the final packets are reached to site1 LAN, source is Z, destination is X, problem solved. in fact, site1 and site2 never know where is nat happening, they just dont know about overlapping network even exist on either side.
As you see, there is no mac, arp issue.
If you perform the network to network nat, ip translation will happen this way-
192.168.1.1/24(overlapped network) -->172.16.1.1/24 (nat pool)
I suggest you go through the document for the config assistance.
Rewanta
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.