Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abdelilah
New Contributor

Problem with ipsec tunnel

Hi every one, We have a fortinet 60B in our headquarter and we configured it for one client to site ipsec tunnel,but we have some problems with this tunnel sometime the tunnel is there an others times it collapse. here is our design,i have one question,is this design correct?or it may create problems? Here is the design : FORTINET CLIENT 192.168.1.101 | | | 192.162.1.1 sagem fast livebox public IP :X.Y.Z.A | | | Internet | | | public IP : R.T.Y.U sagem fast livebox 192.168.1.1 | | | 192.168.1.2 FORTINET FIREWALL 60B 10.10.10.1 | | | 10.10.10.10 Server |
voila
voila
5 REPLIES 5
rwpatterson
Valued Contributor III

Welcome to the forums. Chances are it may have something to do with the 192.168.1.x space on the client end matching that of the server side. Do yourself a favor...change that. With the many available private spaces out there, choose one that' s not on the top 3 list of default address spaces. If you have control over the remote end, DO THE SAME THERE. My opinion.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

Definitely a design error. You cannot connect 2 subnets with identical IP address spaces via VPN tunnel. As Bob says, get away from 192.168.[0-2].0/24 on your LANs.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
abdelilah

even if it is client to site tunnel ?
voila
voila
ede_pfau
Esteemed Contributor III

Imagine you are the router/FGT. Now you see traffic to e.g. 192.168.1.4 from both the LAN port and the tunnel interface. Now, where do you send the reply traffic to?? It doesn' t matter if the tunnel client is software or another FGT, the receiving FGT cannot see any difference in the traffic.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
abdelilah
New Contributor

yes but i' m joining the 10.10.10.0/24 network not the 192.168.1.0/24
voila
voila
Labels
Top Kudoed Authors