All,
I have a client with a number of remote sites that all have Site-to-Site VPN back to their data centre. All VPNs are using explicitly defined Phase 2 selectors.
We've recently added a new subnet/network with servers on it for a different branch of their company and they want all remote sites to be able to access it.
An easy solution would be to just add the Phase2s on each VPN tunnel and be done with it, but this is potentially a lot of work.
I am looking at NATting the traffic so one of the existing Phase2s would allow the traffic, but running into some trouble.
The networks are:
10.69.7.0/24 (new network) and 10.0.8.0/22 (existing network).
On the DataCentre Firewall, I had placed a NAT for 10.0.8.136-10.0.8.140 mapping to 10.69.7.36-10.69.7.40
On a test remote firewall, I did the inverse and created a route and policy. As soon as I enabled a policy on the DC to allow the traffic, the servers in 10.69.7.36-40 lost network access - so I disabled the policy.
I suspect I might have this backwards....
We're trying to use a NAT to minimize the amount of changes we'll need to do per remote site.
Thoughts?
So you have phase2 10.0.8.0/22<->a.a.a.0/x per location, right. Then you want the new servers in 10.69.7.0/24 accessible from remote locations without changing all IPsecs and static routes.
That means you need to map some of 10.0.8.0/22 IPs to 10.69.7.36-40 for incoming from VPNs (VIPs), and for opposite direction, you need to set ippools for each 10.69.7.xx server to use the 10.0.8 IP in SNAT policy toward VPNs. It would be quite some work too.
Instead, I would consider changing phase2 to 0/0<->0/0 default value, and setting a routing protocol to exchange those routes each other. Once you do that, whenever a new subnet is introduced on either end, it would be automatically propagated to the other end.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1744 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.