Site-to-site IPsec VPN with overlapping subnets

Fabien_34 · ‎06-07-2018

Hello,

I am trying to setup site-to-site IPSec tunnels with two customers. Problem : they use the same subnet (common problem when establishing VPN tunnels). Diagram :

The configuration related to the customer Y tunnel :

Phase 1 :

config vpn ipsec phase1-interface edit "VPN_Y" set interface "VPN_INTERCO-OUT" set local-gw 46.235.xxx.xxx set peertype any set proposal aes128-sha1 3des-sha1 set comments "C00000843" set dhgrp 2 set remote-gw 46.235.yyy.yyy set psksecret ENC 22Qlkt[...]== next end

Phase 2 :

config vpn ipsec phase2-interface edit "VPN_Y" set phase1name "VPN_Y" set proposal aes128-sha1 3des-sha256 set dhgrp 2 set keylifeseconds 3600 set src-subnet 10.240.250.8 255.255.255.255 set dst-subnet 10.93.1.0 255.255.255.0 next end

NAT source :

config firewall ippool edit "NAT_SOURCE_VPN_Y" set startip 10.240.250.8 set endip 10.240.250.8 next end

NAT destination :

config firewall vip edit "NAT_DEST_Y_LAN" set uuid d23e818a-4ee1-51e8-9896-d94d9ae7ad2b set extip 10.129.7.1-10.129.7.254 set extintf "VPN_INTERCO-IN" set mappedip "10.93.1.1-10.93.1.254" next end

Static routes :

config router static edit 21 set dst 10.93.1.0 255.255.255.0 set distance 5 set device "VPN_Y" set comment "NET_Y_LAN" next end

Firewall policy :

config firewall policy edit 13 set name "VPN_Y" set uuid 31e63b7a-47ce-51e8-cf55-ad237dab5cbf set srcintf "VPN_INTERCO-IN" set dstintf "VPN_Y" set srcaddr "GRP_NET _MGT" set dstaddr "NAT_DEST_Y_LAN" set action accept set schedule "always" set service "GRP_ADMIN" set logtraffic all set nat enable set ippool enable set poolname "NAT_SOURCE_VPN_Y" next end

The configuration related to the customer Z tunnel :

Phase 1 :

config vpn ipsec phase1-interface edit "VPN-Z" set interface "VPN_INTERCO-OUT" set local-gw 46.235.xxx.xxx set peertype any set proposal aes128-sha1 3des-sha1 set dhgrp 2 set remote-gw 46.235.zzz.zzz set psksecret ENC 0ZmB1d[...]== next end

Phase 2 :

config vpn ipsec phase2-interface edit "VPN-Z" set phase1name "VPN-Z" set proposal aes128-sha1 3des-sha1 set dhgrp 2 set keylifeseconds 3600 set src-subnet 10.240.250.100 255.255.255.255 set dst-subnet 10.93.1.0 255.255.255.0 next end

NAT source :

config firewall ippool edit "NAT_SOURCE_VPN_Z" set startip 10.240.250.100 set endip 10.240.250.100 next end

NAT destination :

config firewall vip edit "NAT_DEST_Z_LAN" set uuid d7f36d5c-69a3-51e8-db84-0f401ccfe465 set extip 10.129.100.1-10.129.100.254 set extintf "VPN_INTERCO-IN" set mappedip "10.93.1.1-10.93.1.254" next end

Static routes :

config router static edit 22 set dst 10.93.1.0 255.255.255.0 set device "VPN-Z" set comment "VPN-Z" next end

Firewall policy :

config firewall policy edit 15 set name "VPN-Z" set uuid b26c4fc6-69a4-51e8-cfbd-416ac9af4bfe set srcintf "VPN_INTERCO-IN" set dstintf "VPN-Z" set srcaddr "all" set dstaddr "NAT_DEST_Z_LAN" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set ippool enable set poolname "NAT_SOURCE_VPN_Z" next end

The customer Y tunnel is up and running.

Tunnel Z is down (I do not have an admin account on this firewall, so no CLI logs - VPN Events says that phase 1 is ok, nothing about the phase 2)

Some thoughts : - Destination network of the two routes (tunnel Y and Z) are the same, this may be the cause of the problem - The Fortinet cookbook Site-to-site IPsec VPN with overlapping subnets indicate a route with the external network ("NAT") as destination. I tried this, but the Y tunnel is not working with this route. I have to configure the mapped ("real") network as destination. I do not understand why it does not work as the routing is done after the destination NAT (see packet flow diagram below - source). - I thought about using policy-based tunnel but the source NAT option is not available if the "IPsec" action is selected (source NAT is possible only with the Accpet et Learn options) - I also thought about using policy-basded routing but it looks impossible to me because the source NAT is done after the routing

Any help you can give will be greatly appreciated...

Iescudero · ‎06-07-2018

Hi there!

You can solve this by changing this in each peer:

set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0

Then you can use routes (as you already mentioned) to control traffic and policys to control access.

Toshi_Esumi · ‎06-07-2018

What is your objective setting up two VPNs with two locations where they have the same subnet? Do you really need to reach each devices at the customer locations from your end, or they need to reach common resources at your location X? Obviously you can't have the remote subnet 10.93.1.0/24 exposed in your local FGT. How do you or FGT differenciate a device 10.93.1.10 at location Y from another 10.93.1.10 device at location Z to send packets into the tunnel? You need to use VIPs to have different subnet/IPs to specify each device that has the same local IP. But if only customer side needs to reach your common resources, the remote FGTs need just SNAT.

ericli_FTNT · ‎06-07-2018

Hi Fabien,

Your design can't meet your requirement because if you need to access to two branches, you would need to create TWO interfaces facing to each branch and apply VIP on it.

Later I would reproduce your scenario and post with sample config. Get back to you soon.

Fabien_34 · ‎06-07-2018

Thanks to all for your messages.

@ lescudero :

Thanks for your help, but according to me it will not change the routes issue (two routes with the same destination, as I can only route the mapped network).

@ Toshi :

What is your objective setting up two VPNs with two locations where they have the same subnet?

Yes.

Do you really need to reach each devices at the customer locations from your end, or they need to reach common resources at your location X?

We need to reach each devices at the customer locations from our end.

Obviously you can't have the remote subnet 10.93.1.0/24 exposed in your local FGT. How do you or FGT differenciate a device 10.93.1.10 at location Y from another 10.93.1.10 device at location Z to send packets into the tunnel?

Exactly.

You need to use VIPs to have different subnet/IPs to specify each device that has the same local IP.

That's done, I use one VIP for each VPN :

config firewall vip edit "NAT_DEST_Y_LAN" set extip 10.129.7.1-10.129.7.254 set mappedip "10.93.1.1-10.93.1.254"

config firewall vip edit "NAT_DEST_Z_LAN" set extip 10.129.100.1-10.129.100.254 set mappedip "10.93.1.1-10.93.1.254"

But what about the routes ? Routing the VIP External network (i.e. 10.129.x.0/24) into the VPN tunnel does not work according to my tests. If I have to route the mapped network (i.e. 10.93.1.0/24), the two route will have the same destination. That's the problem.

But if only customer side needs to reach your common resources, the remote FGTs need just SNAT.

Unfortunately we need to reach each devices at the customer locations from our end.

@ ericli_FTNT

Not sure to understand your point. 1. The VIP are applied to the incoming interface ("VPN_INTERCO-IN"). According to the packet flow diagram, the destination NAT is done before the routing. So I should be able to use Externat network (i.e. 10.129.x.0/24) in my routes - but only routes using mapped network (i.e. 10.93.1.0/24) works. 2. I tried to apply the VIP to the tunnel interfaces. I can do that, but after I can not chosse the VIP as destination in my policy !

ericli_FTNT · ‎06-07-2018

For overlapping subnets, FGT needs to differentiate them anyway. In this case, it's done by NAT on different phase1 interfaces.

On each phase 1 interface, for one subnet, you can only apply one VIP.

You can't apply two different VIP on one interface, mapped to one same subnet.

The cookbook's sample is one to one, so there is only one interface. If you need to build a hub-spoke structure, you need more interfaces.

I'm working on your case now. I will post my config asap.

emnoc · ‎06-07-2018

Routing the VIP External network (i.e. 10.129.x.0/24) into the VPN tunnel does not work according to my tests

1: Place the VIP at the two remote firewalls

2: place static route for the 2x VIP /24 using the correct phase1-interface tunnel name

4: place the 2x /24 in the correct phase2-interface dst-subnets

4: apply fwpolicies

It's really not that hard. All traffic exting your network to either 10.129.7.0/24 10.128.100.0/24 will go thru the correct tunnel

The last issues you have the SNAT of the pools need to be called up in the firewall. So make sure to check that use diag debug flow for any diagnostics

if you still have problems post the cfg for us to peer-review. In the long run it might be better to reconfigure one of the remote-sites networks imho. A little work now, will save you much latter work , problem and grief )

ken

PCNSE

NSE

StrongSwan

ericli_FTNT · ‎06-07-2018

yes

Fabien_34 · ‎06-08-2018

Hello emnoc, I forgot to mention one important point: the two remote firewalls are very basic (VMWare NSX Edge). They can not do nay NAT (source or destination) for tunneled traffic. The source NAT and the destination NAT have to be done on the Fortinet. And I have accomplished this using IP Pool (source NAT) and VIP (destination NAT). The only remlaining problem is with the two routes : is there a way of using the external network instead of the mapped network as destination?

ericli_FTNT · ‎06-08-2018

Fabien_34 wrote:
Hello emnoc, I forgot to mention one important point: the two remote firewalls are very basic (VMWare NSX Edge). They can not do nay NAT (source or destination) for tunneled traffic. The source NAT and the destination NAT have to be done on the Fortinet. And I have accomplished this using IP Pool (source NAT) and VIP (destination NAT). The only remlaining problem is with the two routes : is there a way of using the external network instead of the mapped network as destination?

So you need two interfaces to build VPN going to two customers. On two VPN interfaces, you can do NAT to convert two same subnets from two different interfaces to two different subnets.