Hello,
I am trying to setup site-to-site IPSec tunnels with two customers. Problem : they use the same subnet (common problem when establishing VPN tunnels). Diagram :
The configuration related to the customer Y tunnel :
Phase 1 :
config vpn ipsec phase1-interface edit "VPN_Y" set interface "VPN_INTERCO-OUT" set local-gw 46.235.xxx.xxx set peertype any set proposal aes128-sha1 3des-sha1 set comments "C00000843" set dhgrp 2 set remote-gw 46.235.yyy.yyy set psksecret ENC 22Qlkt[...]== next end
Phase 2 :
config vpn ipsec phase2-interface edit "VPN_Y" set phase1name "VPN_Y" set proposal aes128-sha1 3des-sha256 set dhgrp 2 set keylifeseconds 3600 set src-subnet 10.240.250.8 255.255.255.255 set dst-subnet 10.93.1.0 255.255.255.0 next end
NAT source :
config firewall ippool edit "NAT_SOURCE_VPN_Y" set startip 10.240.250.8 set endip 10.240.250.8 next end
NAT destination :
config firewall vip edit "NAT_DEST_Y_LAN" set uuid d23e818a-4ee1-51e8-9896-d94d9ae7ad2b set extip 10.129.7.1-10.129.7.254 set extintf "VPN_INTERCO-IN" set mappedip "10.93.1.1-10.93.1.254" next end
Static routes :
config router static edit 21 set dst 10.93.1.0 255.255.255.0 set distance 5 set device "VPN_Y" set comment "NET_Y_LAN" next end
Firewall policy :
config firewall policy edit 13 set name "VPN_Y" set uuid 31e63b7a-47ce-51e8-cf55-ad237dab5cbf set srcintf "VPN_INTERCO-IN" set dstintf "VPN_Y" set srcaddr "GRP_NET _MGT" set dstaddr "NAT_DEST_Y_LAN" set action accept set schedule "always" set service "GRP_ADMIN" set logtraffic all set nat enable set ippool enable set poolname "NAT_SOURCE_VPN_Y" next end
The configuration related to the customer Z tunnel :
Phase 1 :
config vpn ipsec phase1-interface edit "VPN-Z" set interface "VPN_INTERCO-OUT" set local-gw 46.235.xxx.xxx set peertype any set proposal aes128-sha1 3des-sha1 set dhgrp 2 set remote-gw 46.235.zzz.zzz set psksecret ENC 0ZmB1d[...]== next end
Phase 2 :
config vpn ipsec phase2-interface edit "VPN-Z" set phase1name "VPN-Z" set proposal aes128-sha1 3des-sha1 set dhgrp 2 set keylifeseconds 3600 set src-subnet 10.240.250.100 255.255.255.255 set dst-subnet 10.93.1.0 255.255.255.0 next end
NAT source :
config firewall ippool edit "NAT_SOURCE_VPN_Z" set startip 10.240.250.100 set endip 10.240.250.100 next end
NAT destination :
config firewall vip edit "NAT_DEST_Z_LAN" set uuid d7f36d5c-69a3-51e8-db84-0f401ccfe465 set extip 10.129.100.1-10.129.100.254 set extintf "VPN_INTERCO-IN" set mappedip "10.93.1.1-10.93.1.254" next end
Static routes :
config router static edit 22 set dst 10.93.1.0 255.255.255.0 set device "VPN-Z" set comment "VPN-Z" next end
Firewall policy :
config firewall policy edit 15 set name "VPN-Z" set uuid b26c4fc6-69a4-51e8-cfbd-416ac9af4bfe set srcintf "VPN_INTERCO-IN" set dstintf "VPN-Z" set srcaddr "all" set dstaddr "NAT_DEST_Z_LAN" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set ippool enable set poolname "NAT_SOURCE_VPN_Z" next end
The customer Y tunnel is up and running.
Tunnel Z is down (I do not have an admin account on this firewall, so no CLI logs - VPN Events says that phase 1 is ok, nothing about the phase 2)
Some thoughts : - Destination network of the two routes (tunnel Y and Z) are the same, this may be the cause of the problem - The Fortinet cookbook Site-to-site IPsec VPN with overlapping subnets indicate a route with the external network ("NAT") as destination. I tried this, but the Y tunnel is not working with this route. I have to configure the mapped ("real") network as destination. I do not understand why it does not work as the routing is done after the destination NAT (see packet flow diagram below - source). - I thought about using policy-based tunnel but the source NAT option is not available if the "IPsec" action is selected (source NAT is possible only with the Accpet et Learn options) - I also thought about using policy-basded routing but it looks impossible to me because the source NAT is done after the routing
Any help you can give will be greatly appreciated...
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi there!
You can solve this by changing this in each peer:
set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0
Then you can use routes (as you already mentioned) to control traffic and policys to control access.
What is your objective setting up two VPNs with two locations where they have the same subnet? Do you really need to reach each devices at the customer locations from your end, or they need to reach common resources at your location X? Obviously you can't have the remote subnet 10.93.1.0/24 exposed in your local FGT. How do you or FGT differenciate a device 10.93.1.10 at location Y from another 10.93.1.10 device at location Z to send packets into the tunnel? You need to use VIPs to have different subnet/IPs to specify each device that has the same local IP. But if only customer side needs to reach your common resources, the remote FGTs need just SNAT.
Hi Fabien,
Your design can't meet your requirement because if you need to access to two branches, you would need to create TWO interfaces facing to each branch and apply VIP on it.
Later I would reproduce your scenario and post with sample config. Get back to you soon.
Thanks to all for your messages.
@ lescudero :
Thanks for your help, but according to me it will not change the routes issue (two routes with the same destination, as I can only route the mapped network).
@ Toshi :
What is your objective setting up two VPNs with two locations where they have the same subnet?Yes.
Do you really need to reach each devices at the customer locations from your end, or they need to reach common resources at your location X?We need to reach each devices at the customer locations from our end.
Obviously you can't have the remote subnet 10.93.1.0/24 exposed in your local FGT. How do you or FGT differenciate a device 10.93.1.10 at location Y from another 10.93.1.10 device at location Z to send packets into the tunnel?Exactly.
You need to use VIPs to have different subnet/IPs to specify each device that has the same local IP.That's done, I use one VIP for each VPN :
config firewall vip edit "NAT_DEST_Y_LAN" set extip 10.129.7.1-10.129.7.254 set mappedip "10.93.1.1-10.93.1.254"
config firewall vip edit "NAT_DEST_Z_LAN" set extip 10.129.100.1-10.129.100.254 set mappedip "10.93.1.1-10.93.1.254"
But what about the routes ? Routing the VIP External network (i.e. 10.129.x.0/24) into the VPN tunnel does not work according to my tests. If I have to route the mapped network (i.e. 10.93.1.0/24), the two route will have the same destination. That's the problem.
But if only customer side needs to reach your common resources, the remote FGTs need just SNAT.Unfortunately we need to reach each devices at the customer locations from our end.
@ ericli_FTNT
Not sure to understand your point. 1. The VIP are applied to the incoming interface ("VPN_INTERCO-IN"). According to the packet flow diagram, the destination NAT is done before the routing. So I should be able to use Externat network (i.e. 10.129.x.0/24) in my routes - but only routes using mapped network (i.e. 10.93.1.0/24) works. 2. I tried to apply the VIP to the tunnel interfaces. I can do that, but after I can not chosse the VIP as destination in my policy !
For overlapping subnets, FGT needs to differentiate them anyway. In this case, it's done by NAT on different phase1 interfaces.
On each phase 1 interface, for one subnet, you can only apply one VIP.
You can't apply two different VIP on one interface, mapped to one same subnet.
The cookbook's sample is one to one, so there is only one interface. If you need to build a hub-spoke structure, you need more interfaces.
I'm working on your case now. I will post my config asap.
Routing the VIP External network (i.e. 10.129.x.0/24) into the VPN tunnel does not work according to my tests
1: Place the VIP at the two remote firewalls
2: place static route for the 2x VIP /24 using the correct phase1-interface tunnel name
4: place the 2x /24 in the correct phase2-interface dst-subnets
4: apply fwpolicies
It's really not that hard. All traffic exting your network to either 10.129.7.0/24 10.128.100.0/24 will go thru the correct tunnel
The last issues you have the SNAT of the pools need to be called up in the firewall. So make sure to check that use diag debug flow for any diagnostics
if you still have problems post the cfg for us to peer-review. In the long run it might be better to reconfigure one of the remote-sites networks imho. A little work now, will save you much latter work , problem and grief )
ken
PCNSE
NSE
StrongSwan
yes
Hello emnoc, I forgot to mention one important point: the two remote firewalls are very basic (VMWare NSX Edge). They can not do nay NAT (source or destination) for tunneled traffic. The source NAT and the destination NAT have to be done on the Fortinet. And I have accomplished this using IP Pool (source NAT) and VIP (destination NAT). The only remlaining problem is with the two routes : is there a way of using the external network instead of the mapped network as destination?
Fabien_34 wrote:Hello emnoc, I forgot to mention one important point: the two remote firewalls are very basic (VMWare NSX Edge). They can not do nay NAT (source or destination) for tunneled traffic. The source NAT and the destination NAT have to be done on the Fortinet. And I have accomplished this using IP Pool (source NAT) and VIP (destination NAT). The only remlaining problem is with the two routes : is there a way of using the external network instead of the mapped network as destination?
So you need two interfaces to build VPN going to two customers. On two VPN interfaces, you can do NAT to convert two same subnets from two different interfaces to two different subnets.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.