I' ve seen several references throughout this site stating that enabling " allow-subnet-overlap" is VERY VERY bad and should never, ever be done.
There are times when there' s good reasons for assigning two IPs to an interface. (i.e. 10.0.0.1 and 10.0.0.2 to WAN1). I also know that VIPs can be used instead of secondary IPs in other instances. For the moment, let' s not discuss VIPs.
I haven' t been able to find a reference in any manual suggesting that this is a dreadfully bad thing. The manuals do state that enabling asymmetric routing should only be enabled for limited troubleshooting purposes because it disables stateful inspection. This makes sense -- but what I don' t understand is how enabling allow-subnet-overlap also enables asymmetric routing, as it' s been suggested by others within this forum.
In fact, Fortinet even specifies it should be enabled in the KB document, " How to setup IPSEC VPN on secondary IP address"
I' ve also seen posts from others where apparently Fortinet Support has advised them to enable " allow-subnet-overlap" . Is the Fortinet Knowledgebase flat-out wrong? Is the information given by Support also wrong? Please, help me understand the situation. I would appreciate a detailed explanation or even a polite reference to a link or a PDF/page number with any relevant information.
I appreciate the reply. It' s a little hard to understand because there have been several posts implying that asymmetric routing will be enabled if two IP addresses are assigned to a single interface.
Like I said, even Fortinet docs indicate this is the method of binding IPsec VPNs to a secondary address.
Any further comments?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.