Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gamba
New Contributor

Created on ‎06-20-2016 07:37 AM

VPN with same subnet

Hi everybody,

 

I need to create a new VPN IPSec site-to-site on my forti.

 

The problem is that I have already a VPN with the same subnet.

 

Main site : 192.168.10.0/24

 

Remote site : 192.168.1.0/24

New site : 192.168.1.0./24

 

I've seen the documentation about the "overlapping subnet" but it's not exactly what I need.

 

I can't change the IP's on the remotes sites (another companies)

 

Thanks for your help

 

G.

Labels:
15931
0 Kudos
5 REPLIES 5
dominikw
New Contributor II

Created on ‎06-20-2016 08:02 AM

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12017   or better : http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
6567
0 Kudos
Gamba
New Contributor
In response to dominikw

Created on ‎06-20-2016 08:28 AM

Hi dominikw,

 

Thanks for your answer.

 

I've seen this KB, but in my case it's two remote lan and not the main and a remote

 

Tnanks

6567
0 Kudos
ponder
New Contributor III
In response to Gamba

Created on ‎06-20-2016 11:27 AM

Gamba,

 

If it is the remote LAN that is the same, I would ask the remote end to NAT their entire range over the VPN to your network.  A full 1to1 NAT for every IP to an IP range your network does not know about.  Then your side is a standard VPN setup :)

 

In regards to the documentation you read about VPNs and overlapping subnets, it is roughly what you need to configure -> http://cookbook.fortinet.com/vpn-overlapping-subnets/

 

Thanks,

Ponder.

6568
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to ponder

Created on ‎06-21-2016 02:36 AM

What you need to do:

- substitute your fantasy IP addresses (10.11.12.0/24) for the real addresses (192.168.1.0/24) on entry to the tunnel, using destination NAT

- substitute the real addresses (192.168.1.0/24) coming from the tunnel to your fantasy IP addresses (10.11.12.0/24), using source NAT

 

In FortiOS, dNAT is done by VIPs, sNAT by IP pools.

The route pointing to the tunnel should be for your fantasy IP addresses (10.11.12.0/24).

 

The KB articles (though I haven't read them...) show the 'how-to' pretty much. Actually, your case is less complicated as you already have a non-overlapping subnet at your HQ. So you only translate one of the two remote subnets.

 

All of this is done entirely on your side - the remote network admin doesn't have to do anything. Which often is a good thing.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
6567
0 Kudos
Gamba
New Contributor
In response to ede_pfau

Created on ‎06-21-2016 07:11 AM

Hi everybody,

 

Many thanks for your help.

 

I've solved my problem by dividing my remote lan's

 

Remote 1 : 192.168.1.1-192.168.1.149

Remote 2 : 192.168.1.150-192.168.1.250

 

It works well

 

Tschuss

 

G.

 

6567
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.