site-to-site IPsec VPN only allows 192.168.0.0/24

mavaje7896 · ‎03-31-2022

We established a site-to-site VPN that works, our traffic from 192.168.0.0/24 goes across this VPN to 172.16.24.0/24.

However, remote dial-up IPsec users now need access to this tunnel.

Our remote dial-up IPsec users are using 192.168.1.0/24, and when they attempt to access this tunnel, the remote peer denies it because it is not from 192.168.0.0/24.

How do I make the remote dial-in users 192.168.1.0/24 appear to be from our primary 192.168.0.0/24 network so that it is allowed to go across the VPN?

The VPN provider offers one subnet, I've asked them for a second, they said that's not an option.

Any advice or a point in the right direction would help, thanks you.

akristof · ‎03-31-2022

Hello,

Thank you for your question. I see 2 ways how you can do it.

1) Create new phase2 on both devices to allow 192.168.1.0/24 to enter ipsec tunnel.

2) On firewall policy that is allowing traffic from Dialup tunnel to site2site tunnel enable NAT with ippool 192.168.0.0/24 (or some subset) and FortiGate will SNAT the traffic and it will be allowed to enter the tunnel.

Adrian

site-to-site IPsec VPN only allows 192.168.0.0/24

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website