- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Overlapping networks thorugh IPSec S2S VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Overlapping networks thorugh IPSec S2S VPN
Hello,
I configured both FG appliances exactly as referenced in this online help document:
http://help.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/gw-to-gw.105.11.html
It works but this is not what i expect.
The document assumes users to access resources in both ends using 10.21.101.0/24 and 10.31.101.0/24. This means users must memorize these addresses in order to access resources in the other end. I think this is not practical and i want the network to be transparent to end users.
I thought both ends can access resources normally using the 10.11.101.0/24. For example, FG_2 translates server 10.11.101.1 > 10.31.101.1. FG_1 translates PC1 10.11.101.10 > 10.21.101.10. When PC1 pings the server 10.11.101.1, FG_2 will receive the ping request at 10.31.101.1 and then automatically redirect it to 10.11.101.1. When the server replies, FG_1 will receive the reply at 10.21.101.10 and then automatically redirect it to 10.11.101.10.
It should work like this.
The question is, how does the foritgate know if the ping is intended to a local server with address 10.11.101.1 and not intended through the tunnel?
The answer depends on if there is a mechanism in FG to know that.
Appreciate your help.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any thoughts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
technologist36 wrote:The question is, how does the foritgate know if the ping is intended to a local server with address 10.11.101.1 and not intended through the tunnel?
I doubt if the Fortigate is able to see the difference... Your method could work as long as you don't have duplicate ip's. eg. client with .1 should either exist at local site OR remote site, but not the 2.
The Fgt will react to requests on the ip's on which it has vips configured, but will not be able to tell if other clients react to the same data on the local subnet
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your kind reply.
Okay, let's say that i accept the fact i can access resources located at the remote site using a range of VIPs. Now, i am trying to configure a DNS names for these VIPs, so that users can access resources by names.
Let me illustrate what i did and correct me if i am wrong.
I configured the DHCP located at the remote site to give remote users the VIP of the DNS server located in the local site. This is the IP address of the DNS server after translation. Because remote users now see the DNS server as 10.21.101.1, they contact it for names. NSlookup works fine but pings by name failed. Why? Because the host records in the DNS server point to resources with IP addresses in the range of 10.11.x.x/24 subnet and not in the range of 10.21.x.x/2 subnet.
Note: There is no DNS server at the remote site and they rely on the DNS server at local site.
Do you think i need to configure a DNS server at remote site in order for this to work?
Appreciate your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's correct, the DNS server will reply with the "wrong" ip.
Best way is to install a DNS server locally, either a fixed server, or configure it on the Fortigate.
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe FG cannot act as a DNS server but it can point to one. I checked the "DNS" under the "Network" section and requires me to specify the addresses of DNS servers.
Anyways, i will try to install an internal DNS server at the remote site and create a FLZ for the VIPs' subnet.
I will let you know the status.
Thx for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
technologist36 wrote:I believe FG cannot act as a DNS server but it can point to one. I checked the "DNS" under the "Network" section and requires me to specify the addresses of DNS servers.
Actually you can, but on recent FOS you need to enable "DNS database" in the features view first. After that it should appear under your "Network" section in the menu.
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gr8! I am going to read more about the new FOS v5.2.3 and check if it supports DNS server role.
Thanks Johan, appreciate your help.
Related Posts
- Multiple IPsec tunnels with overlapping networks... 733 Views
- SSL, IPSEC,GRE routing 1094 Views
- Remote Access SSL-VPN & Home Network... 1383 Views
- Fortigate 1500D v6.x 4183 Views
- IPSEC TUNNEL with NAT 2248 Views
Labels
-
FortiGate
6,655 -
FortiClient
1,327 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.