Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mavaje7896
New Contributor

site-to-site IPsec VPN only allows 192.168.0.0/24

We established a site-to-site VPN that works, our traffic from 192.168.0.0/24 goes across this VPN to 172.16.24.0/24.

 

However, remote dial-up IPsec users now need access to this tunnel.

 

Our remote dial-up IPsec users are using 192.168.1.0/24, and when they attempt to access this tunnel, the remote peer denies it because it is not from 192.168.0.0/24.

 

How do I make the remote dial-in users 192.168.1.0/24 appear to be from our primary 192.168.0.0/24 network so that it is allowed to go across the VPN?

 

The VPN provider offers one subnet, I've asked them for a second, they said that's not an option.

 

Any advice or a point in the right direction would help, thanks you.

1 REPLY 1
akristof
Staff
Staff

Hello,

 

Thank you for your question. I see 2 ways how you can do it.

1) Create new phase2 on both devices to allow 192.168.1.0/24 to enter ipsec tunnel.

2) On firewall policy that is allowing traffic from Dialup tunnel to site2site tunnel enable NAT with ippool 192.168.0.0/24 (or some subset) and FortiGate will SNAT the traffic and it will be allowed to enter the tunnel.

Adrian
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors