Overlapping remote subnets on two vpn tunnels

WalterW · ‎12-13-2021

Hi,

it is a well known problem, we have Fortigate on AWS and have to connect to two different customers by VPN with overlapping remote subnets on their side:

Let's say it is not possible to do NAT on the customer firewalls. There are two scenarios:

1. TCP connections established from customer 1/2 server to AWS server

2. TCP connections established from AWS server to customer 1/2 server

Question #1:

Let's assume we would implement SNAT on the Fortigate to cover scenario 1, would the return traffic automatically chose the correct tunnel (from connection table), or will the routing table be consulted to find the tunnel interface for return traffic? I believe the latter is the case, so the SNAT would not help in this case.

Question #2:

I know there is a technical article about how to solve this with VRF and VDOM on the Fortigate, but unfortunately we have on-demand license (not BYOL), so another VDOM is not available on the Fortigate.

Is there any way to solve this without an additional VDOM?

jdelafuente_FTNT · ‎12-13-2021

Are you checked about VxLAN configuration?

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/392860/vlan-inside-vxlan

https://community.fortinet.com/t5/FortiGate/Technical-Note-Virtual-Extensible-LAN-VXLAN-configuratio...

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/821119/vxlan-over-ipsec-tunnel

https://www.youtube.com/watch?v=69oa55LsoAc&t=30s

Jonathan De La Fuente | LATAM TAC Engineer

WalterW · ‎12-14-2021

No VxLAN is not a solution, the firewalls on customer side are 3rd party products and we have to keep the configuration as straightforward as possible.

Also there is no access customer 1 <-> customer 2 required. Only connections between the customer servers and AWS server. From my diagram it might even happen that both customers have a server with the same ip address (although very unlikely).