Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gamba
New Contributor

VPN with same subnet

Hi everybody,

 

I need to create a new VPN IPSec site-to-site on my forti.

 

The problem is that I have already a VPN with the same subnet.

 

Main site : 192.168.10.0/24

 

Remote site : 192.168.1.0/24

New site : 192.168.1.0./24

 

I've seen the documentation about the "overlapping subnet" but it's not exactly what I need.

 

I can't change the IP's on the remotes sites (another companies)

 

Thanks for your help

 

G.

5 REPLIES 5
dominikw
New Contributor II

Dominik Weglarz, IT System Engineer
Gamba
New Contributor

Hi dominikw,

 

Thanks for your answer.

 

I've seen this KB, but in my case it's two remote lan and not the main and a remote

 

Tnanks

ponder
New Contributor III

Gamba,

 

If it is the remote LAN that is the same, I would ask the remote end to NAT their entire range over the VPN to your network.  A full 1to1 NAT for every IP to an IP range your network does not know about.  Then your side is a standard VPN setup :)

 

In regards to the documentation you read about VPNs and overlapping subnets, it is roughly what you need to configure -> http://cookbook.fortinet.com/vpn-overlapping-subnets/

 

Thanks,

Ponder.

ede_pfau

What you need to do:

- substitute your fantasy IP addresses (10.11.12.0/24) for the real addresses (192.168.1.0/24) on entry to the tunnel, using destination NAT

- substitute the real addresses (192.168.1.0/24) coming from the tunnel to your fantasy IP addresses (10.11.12.0/24), using source NAT

 

In FortiOS, dNAT is done by VIPs, sNAT by IP pools.

The route pointing to the tunnel should be for your fantasy IP addresses (10.11.12.0/24).

 

The KB articles (though I haven't read them...) show the 'how-to' pretty much. Actually, your case is less complicated as you already have a non-overlapping subnet at your HQ. So you only translate one of the two remote subnets.

 

All of this is done entirely on your side - the remote network admin doesn't have to do anything. Which often is a good thing.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Gamba
New Contributor

Hi everybody,

 

Many thanks for your help.

 

I've solved my problem by dividing my remote lan's

 

Remote 1 : 192.168.1.1-192.168.1.149

Remote 2 : 192.168.1.150-192.168.1.250

 

It works well

 

Tschuss

 

G.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors