VPN to remote site with dedicated local interface port - FortiGate 40F to FortiGate 40F
I am a newbie and please forgive what is likely a silly question.
My office has an Fortigate F40 as our router and DHCP server.
I have a customer site where we have installed an F40 and use FortiClient to access their network. This all works great.
All I want to do is assign our local port 3 as a connection to our client's network on a full-time basis. I will be connecting equipment for testing purposes and have no need nor desire to access this equipment locally through the network. I ran through the steps from the cookbook, but somehow, I ended up exposing IP addresses at both sites to each other and caused some real mayhem. (Somehow added a 1-to-1 NAT within our local DHCP range, that was fun!)
Could I get some advice?
Footnote; I will be exploring options for additional education on this product to avoid dumb questions in the future.
Port 3 plan is as you say, any hardware connected to it would be as if it was on site at the customer end. I was hoping I could isolate port 3 from my local LAN completely and avoid the subnet overlap outright. Maybe I could add a VLAN?
OK that is good news. So just assign a non-overlapping subnet to port3. You can use FW policies to restrict access to/from this interface and the VPN tunnel.
Then create an IPsec tunnel between the two FortiGate units over the WAN interfaces. Use the subnet of port3 and the remote 192.168.0.0/20 subnet as your phase2 selectors ((local/remote subnets)) and you should be good to go.
yes do not use overlapping subnets. That causes too much trouble and obfuscating.
Build the Site2Site as said. Create the policies on both sides to allow traffic to flow (ipsec will not come up without policy anyhow) and also make sure that both side have route to the opposite subnet that should be reachable.
you could always run a flow trace on cli on either FGT to see what happens to your traffic:
diag debug enable
diag debug flow filter clear
diag debug flow filter <filter> (without paramters it will show all current filters or "?" to show parameters)
probably set a source and/or destination address to filter (because without you will get tons of traced traffic)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.