Hi everybody,
I need to create a new VPN IPSec site-to-site on my forti.
The problem is that I have already a VPN with the same subnet.
Main site : 192.168.10.0/24
Remote site : 192.168.1.0/24
New site : 192.168.1.0./24
I've seen the documentation about the "overlapping subnet" but it's not exactly what I need.
I can't change the IP's on the remotes sites (another companies)
Thanks for your help
G.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Dominik Weglarz, IT System Engineer
Hi dominikw,
Thanks for your answer.
I've seen this KB, but in my case it's two remote lan and not the main and a remote
Tnanks
Gamba,
If it is the remote LAN that is the same, I would ask the remote end to NAT their entire range over the VPN to your network. A full 1to1 NAT for every IP to an IP range your network does not know about. Then your side is a standard VPN setup :)
In regards to the documentation you read about VPNs and overlapping subnets, it is roughly what you need to configure -> http://cookbook.fortinet.com/vpn-overlapping-subnets/
Thanks,
Ponder.
What you need to do:
- substitute your fantasy IP addresses (10.11.12.0/24) for the real addresses (192.168.1.0/24) on entry to the tunnel, using destination NAT
- substitute the real addresses (192.168.1.0/24) coming from the tunnel to your fantasy IP addresses (10.11.12.0/24), using source NAT
In FortiOS, dNAT is done by VIPs, sNAT by IP pools.
The route pointing to the tunnel should be for your fantasy IP addresses (10.11.12.0/24).
The KB articles (though I haven't read them...) show the 'how-to' pretty much. Actually, your case is less complicated as you already have a non-overlapping subnet at your HQ. So you only translate one of the two remote subnets.
All of this is done entirely on your side - the remote network admin doesn't have to do anything. Which often is a good thing.
Hi everybody,
Many thanks for your help.
I've solved my problem by dividing my remote lan's
Remote 1 : 192.168.1.1-192.168.1.149
Remote 2 : 192.168.1.150-192.168.1.250
It works well
Tschuss
G.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.