We established a site-to-site VPN that works, our traffic from 192.168.0.0/24 goes across this VPN to 172.16.24.0/24.
However, remote dial-up IPsec users now need access to this tunnel.
Our remote dial-up IPsec users are using 192.168.1.0/24, and when they attempt to access this tunnel, the remote peer denies it because it is not from 192.168.0.0/24.
How do I make the remote dial-in users 192.168.1.0/24 appear to be from our primary 192.168.0.0/24 network so that it is allowed to go across the VPN?
The VPN provider offers one subnet, I've asked them for a second, they said that's not an option.
Any advice or a point in the right direction would help, thanks you.
Hello,
Thank you for your question. I see 2 ways how you can do it.
1) Create new phase2 on both devices to allow 192.168.1.0/24 to enter ipsec tunnel.
2) On firewall policy that is allowing traffic from Dialup tunnel to site2site tunnel enable NAT with ippool 192.168.0.0/24 (or some subset) and FortiGate will SNAT the traffic and it will be allowed to enter the tunnel.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.