Hi,

it is a well known problem, we have Fortigate on AWS and have to connect to two different customers by VPN with overlapping remote subnets on their side:

Let's say it is not possible to do NAT on the customer firewalls. There are two scenarios:

1. TCP connections established from customer 1/2 server to AWS server

2. TCP connections established from AWS server to customer 1/2 server

Question #1:

Let's assume we would implement SNAT on the Fortigate to cover scenario 1, would the return traffic automatically chose the correct tunnel (from connection table), or will the routing table be consulted to find the tunnel interface for return traffic? I believe the latter is the case, so the SNAT would not help in this case.

Question #2:

I know there is a technical article about how to solve this with VRF and VDOM on the Fortigate, but unfortunately we have on-demand license (not BYOL), so another VDOM is not available on the Fortigate.

Is there any way to solve this without an additional VDOM?