Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Overlapping remote subnets on two vpn tunnels



it is a well known problem, we have Fortigate on AWS and have to connect to two different customers by VPN with overlapping remote subnets on their side:


Unbenanntes Diagramm.png

Let's say it is not possible to do NAT on the customer firewalls. There are two scenarios:


1. TCP connections established from customer 1/2 server to AWS server

2. TCP connections established from AWS server to customer 1/2 server


Question #1:

Let's assume we would implement SNAT on the Fortigate to cover scenario 1, would the return traffic automatically chose the correct tunnel (from connection table), or will the routing table be consulted to find the tunnel interface for return traffic? I believe the latter is the case, so the SNAT would not help in this case.


Question #2:

I know there is a technical article about how to solve this with VRF and VDOM on the Fortigate, but unfortunately we have on-demand license (not BYOL), so another VDOM is not available on the Fortigate.

Is there any way to solve this without an additional VDOM?

New Contributor

No VxLAN is not a solution, the firewalls on customer side are 3rd party products and we have to keep the configuration as straightforward as possible.

Also there is no access customer 1 <-> customer 2 required. Only connections between the customer servers and AWS server. From my diagram it might even happen that both customers have a server with the same ip address (although very unlikely).

Top Kudoed Authors