FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff
Article Id 194027
Description
This article describes how to simultaneously reach same network prefix in two different locations over two different IPsec tunnels (overlapping subnets).
One way is to use 1-to-1 NAT translating one of overlapping subnets to any other prefix.
This approach is described in this following cookbook article.


Unfortunately, it is not always possible to change configuration on the remote end.
In such scenario, a workaround can be implemented locally on the FortiGate.

This article explains this approach that can be used with regular interfaces as well (not only with IPsec tunnels).

Useful Links:

Cookbook: Site-to-site IPsec VPN with overlapping subnets
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/657805/site-to-site-ipsec-vpn-with-overl...

Wikipedia: Virtual routing and forwarding

https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding

Solution
When the change of any configuration on remote gateways is not possible, local FortiGate would have to have two routes for the same destination prefix - one over the first tunnel and another one over the second tunnel. In such case a way to differentiate two equal routes has to be found. Such differentiation can be done via VRF.

In this scenario, customer has an IPsec VPN tunnel IPsec_A with 3rd party provider (3rd Part1).
Phase 2 selector for IPsec_A is:
Source 10.221.1.0/24 <<<<<<<<>>>>>>>>> Destination 192.168.22.0/24
Now, administrator has a requirement to build a new IPsec VPN tunnel IPsec_B with another 3rd party provider (3rd Part2) with the same Phase 2 selectors.
To make it possible without changing the configuration on one of the remote sites, the following translation has to be implemented:

For packets that are sent from 10.221.1.0/24 to 192.168.22.0/24 via IPsec_B, connections will have to be initiated from 10.221.1.0/24 to 192.168.220.0/24

DNAT and VRF routing can then make sure both overlapping subnets are reachable over corresponding IPsec tunnels.

Network Diagram:
 


The steps provided below take into consideration that tunnel IPsec_A with 3rd party provider (3rd Part1) is already configured and there isrunning connections over that tunnel.

1) Enable VDOMs (Review the article in the field related article of this KB)
2) Create VDOM called INT-NAT
3) Configure two inter-VDOM links between “root” and “INT-NAT” vdoms:

  • Inter-VDOMLink1 name: "root-INT". "root-INT0" will be assigned to “root” and "root-INT1" will be assigned to “INT-NAT”. Configure IP addressing as on the image below:


  • Inter-VDOM Link2 name: INT-root. "INT-root0" will be assigned to “root” and "INT-root1" will be assigned to “INT-NAT”. Configure IP addressing as on the image below:

4) Configure firewall addresses on “root”:
#config firewall address
    edit "10.221.1.0/24"
        set allow-routing enable
        set subnet 10.221.1.0 255.255.255.0
    next
    edit "192.168.22.0/24"
        set allow-routing enable
        set subnet 192.168.22.0 255.255.255.0
    next
    edit "192.168.220.0/24"
        set subnet 192.168.220.0 255.255.255.0
    next
end


5) Configure IPSEC VPN with 3rd Part2 on “root”:
#config vpn ipsec phase1-interface
    edit "3rd Part2"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes256-sha1
        set remote-gw y.y.y.y
        set psksecret ENC <encrypted_PSK>
    next
end

#config vpn ipsec phase2-interface
    edit "3rd Part2"
         set phase1name "3rd Part2"
      set proposal aes128-sha256 aes256-sha256 aes256gcm
          set src-addr-type name
          set dst-addr-type name
          set src-name "10.221.1.0/24"
               set dst-name "192.168.22.0/24"
        next
 end
6) Assign vrf id 10 to INT-root0 and IPsec_B on VDOM “root”:
#config system interface
    edit "INT-root0"
        set vdom "root"
        set vrf 10 <---
        set ip 30.30.30.1 255.255.255.0
        set type vdom-link
    next
    edit "IPSEC_B"
        set vdom "root"
        set vrf 10 <---
        set type tunnel
        set interface "wan1"
    next
end
7) Configure static routes on VDOM “root” (these routes will be effective within VRF 10):
#config router static
    edit 4
        set device "IPSEC_B"
        set comment "VPN: IPSEC_B via vrf 10"
        set dstaddr "192.168.22.0/24"
    next
    edit 5
        set gateway 30.30.30.2
        set device "INT-root0"
        set comment "route to 10.221.1.0/24 for vrf 10"
        set dstaddr "10.221.1.0/24"
    next
    edit 6
        set dst 192.168.220.0 255.255.255.0
        set gateway 20.20.20.2
        set device "root-INT0"
    next
Note: Static routes 4 and 5 will be effective within VRF 10 as the interfaces used in these routes are set for this VRF.

8) Configure policy which allows connection from 10.221.1.0/24 to 192.168.220.0/24 and vice versa on VDOM “root”:
#config firewall policy
    edit 4
        set name "vpn_IPSEC_B_local"
        set srcintf "INT-root0"
        set dstintf "IPSEC_B"
        set srcaddr "10.221.1.0/24"
        set dstaddr "192.168.22.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 5
        set name "vpn_IPSEC_B_remote"
        set srcintf "IPSEC_B"
        set dstintf "INT-root0"
        set srcaddr "192.168.22.0/24"
        set dstaddr "10.221.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 6
        set srcintf "lan"
        set dstintf "root-INT0"
        set srcaddr "10.221.1.0/24"
        set dstaddr "192.168.220.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end
9) Configure routes in VDOM “INT-NAT”:
#config router static
    edit 1
        set dst 10.221.1.0 255.255.255.0
        set gateway 20.20.20.1
        set device "root-INT1"
    next
    edit 2
        set dst 192.168.22.0 255.255.255.0
        set gateway 30.30.30.1
        set device "INT-root1"
    next
10) Configure VIP in VDOM “INT-NAT” for 1-to-1 DNAT:
#config firewall vip
    edit "VIP-220-22"
        set extip 192.168.220.1-192.168.220.254
        set extintf "root-INT1"
        set mappedip "192.168.22.1-192.168.22.254"
    next
end
11) Configure firewall policies in VDOM “INT-NAT”:
#config firewall policy
    edit 1
        set srcintf "root-INT1"
        set dstintf "INT-root1"
        set srcaddr "10.221.1.0/24"
        set dstaddr "VIP-220-22"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
    edit 2
        set srcintf "INT-root1"
        set dstintf "root-INT1"
        set srcaddr "192.168.22.0/24"
        set dstaddr "10.221.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end
As a result, routing table for VDOM “root” will be as follows:
# get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S* 0.0.0.0/0 [10/0] via z.z.z.z, wan1
C  a.b.c.d/20 is directly connected, wan1
C  10.221.1.0/24 is directly connected, lan
C  20.20.20.0/24 is directly connected, root-INT0
S  192.168.22.0/24 [10/0] is directly connected, IPSEC_A
S  192.168.220.0/24 [10/0] via 20.20.20.2, root-INT0

Routing table for VRF=10
S  10.221.1.0/24 [10/0] via 30.30.30.2, INT-root0
C  30.30.30.0/24 is directly connected, INT-root0
S  192.168.22.0/24 [10/0] is directly connected, IPSEC_B
Debug flow for ICMP ping from 10.220.1.10 to 192.168.22.130:
id=20085 trace_id=4 func=print_pkt_detail line=5519 msg="vd-root:0 received a packet (proto=1, 10.221.1.10:1->192.168.22.130:2048) from lan. type=8, code=0, id=1, seq=699."
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-0000065e, original direction"
id=20085 trace_id=4 func=npu_handle_session44 line=1129 msg="Trying to offloading session from lan to IPSEC_A, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03040000"
id=20085 trace_id=4 func=ip_session_install_npu_session line=352 msg="npu session installation succeeded"
id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-IPSEC_A"
id=20085 trace_id=4 func=esp_output4 line=897 msg="IPsec encrypt/auth"
id=20085 trace_id=4 func=ipsec_output_finish line=532 msg="send to 10.109.16.100 via intf-wan1"
id=20085 trace_id=5 func=print_pkt_detail line=5519 msg="vd-root:0 received a packet (proto=1, 192.168.22.130:1->10.221.1.10:0) from IPSEC_A. type=0, code=0, id=1, seq=699."
Debug flow when ICMP ping from 10.220.1.10 to 192.168.220.130:
FG100E-2 (global) # id=20085 trace_id=9 func=print_pkt_detail line=5519 msg="vd-root:0 received a packet (proto=1, 10.221.1.10:1->192.168.220.130:2048) from lan. type=8, code=0, id=1, seq=714."
id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-00000904, original direction"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-20.20.20.2 via root-INT0"
id=20085 trace_id=10 func=print_pkt_detail line=5519 msg="vd-INT-NAT:0 received a packet (proto=1, 10.221.1.10:1->192.168.220.130:2048) from root-INT1. type=8, code=0, id=1, seq=714."
id=20085 trace_id=10 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-00000905, original direction"
id=20085 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=10 func=ip_session_run_all_tuple line=6777 msg="DNAT 192.168.220.130:8->192.168.22.130:1"
id=20085 trace_id=11 func=print_pkt_detail line=5519 msg="vd-root:10 received a packet (proto=1, 10.221.1.10:1->192.168.22.130:2048) from INT-root0. type=8, code=0, id=1, seq=714."
id=20085 trace_id=11 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-00000906, original direction"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=00000000 gw-192.168.22.130 via IPSEC_B"
id=20085 trace_id=11 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-IPSEC_B"
id=20085 trace_id=11 func=esp_output4 line=897 msg="IPsec encrypt/auth"
id=20085 trace_id=11 func=ipsec_output_finish line=532 msg="send to 10.109.16.174 via intf-wan1"

Related Articles

Technical Tip : How to enable VDOM in FortiGate VM

Contributors