Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Donaire
New Contributor III

VPN Tunnel site to site (different local subnet)

Hy Guys, 

 

How you doing ?

 

Im trying to create a vpn tunnel between two sites. 

One have two local subnets with two different intefaces and thats where my problem is, I dont know how to use both interfaces on the configuration. 

 

Here is a table just to illustrate the configuration:

 

Local interfaceInternal1 (where my problem is)
Local Subnets192.168.50.0/24 (Internal1)
 192.168.51.0/24 (Internal2)
Remote Subnets192.168.0.0/24

 

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

For the IPSec phase2 network selector, you can use 192.168.50.0/23<->192.168.0.0/24 to let them communicate each other. If you have tunnel interface IP and want to be able to test connectivity from either FGT, you need to add those selectors as well.

For the rest, you can use each subnet separately for routing, and have to have separate policies per interface unless you use a zone to bind internal1 and 2 together like "internal_zone".

 

Edit:

Actually you can use the /23 subnet for routing as well on the other side of the tunnel.

 

Toshi

ede_pfau
Esteemed Contributor III

Or, for simplicity, you can use a wildcard address '0.0.0.0/0' in phase2, for both local and remote end - if the other side uses a Fortigate as well. This will allow any subnet to open the tunnel. You take care of security by creating the appropriate policies.

 

Wildcard address comes in handy when you have to deal with a high number of remote subnets, or when you do not know the remote subnet address ranges beforehand. That is, in case of a dial-in VPN.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors