Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio74
New Contributor

Site To SIte

Good evening everyone. I have a question, if it is possible to realize this scene.

We have 2 sites (AeB) in ipvsec vpn. the first site A has class 192.168.0.0 the second B has class 192.168.1.0. In the first site we have another class 192.168.2.0 configured on port2 of the firewall. Is it possible to reach class 192.168.2.0 from Site B?

20 REPLIES 20
vsahu
Staff
Staff

If with the class you're referring to the overlapping subnet on both the sites then yes you can configure VIP and NAT to achieve this, follow the below link:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/426761/site-to-site-vpn-with...


Also, by default FortiGate will not allow you to configure an overlapping subnet on Interfaces. Check the below guide. 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-subnet-overlap-to-set-IP-addresses-...

Regards,
Vishal
Fabio74
New Contributor

Hello and thank you very much for your reply. Indeed it is as I thought, in the sense that in site A I created a Policy with NAT to put the two network classes in communication. But it does not work

Fabio74
New Contributor

But perhaps I have not expressed correctly what is happening. I insert a drawing of the situation

 

Fabio74_1-1677056839535.png

 

aionescu

Hi @Fabio74,

 

Just to clarify on FGT A you have two ports with 192.168.1.0 and 192.168.10.0 and you want to reach, over IPsec 192.168.40.0 who resides behind FGT B. Is that correct?

If it is the case, how does the phase2 looks like? Are there policies that allow the traffic, Are there routes pointing towards those subnets over the tunnel interface?

Fabio74

HI aionescu
Absolutely correct what you say. You understood perfectly. Phase two is 0.0.0.0/24 in local and in remote

Thank

aionescu

How does the routing looks like? What about the firewall policy?

Please look at the link below and run a debug of the traffic flow to see how the traffic is handeled.

Debugging the packet flow | FortiGate / FortiOS 6.2.12 (fortinet.com)

Fabio74

I must be sincere. I'm ashamed to say it, but I'm not able to do it :(

Fabio74

I managed to debug it. From the 192.168.10.0 network to the 192.168.40.0 network it does not pick up any packets. Nothing, nisba, nada. From 192.168.10.0 to 192.168.1.0, it captures packets regularly. The policy I created is 192.168.10.0 towards vpn B Nat enabled and then the reverse from vpn B to 192.168.10.0 Nat enabled

Fabio74
New Contributor

Consider that the two fortigates A and B communicate perfectly. Even the PCs between them. The class 192.168.10.0 I'm inserting now for need

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors