botisys
asked on
On a Fortigate, how do I setup a Fortinet to Cisco site to site vpn that has overlapping subnets?
I have setup a site to site Fortigate to Cisco VPN using the wizard. I have 3 local subnets included in the P2. Two of those subnets overlap with subnets on the Cisco end. We have agreed on available subnets that can be used for VIP. I have setup each subnet as a separate P2. If I use the actual subnets in the P2s, only the nonconflicting subnet comes up. If I replace the subnets with the VIP subnets, then all 3 subnets come up.
After the VPN is brought up, I attempt to ping the Cisco end. The ping fails. No traffic is passing through the VPN. I'm thinking the problem is with the policies on the VPN. Perhaps the VIPs need to be included in the addresses.
I have searched the internet and the Fortinet site and have failed to find documentation that addresses this type of configuration. The site to site Fortinet with overlapping subnets documents do not work. Can you provide some guidance on how to troubleshoot this problem?
After the VPN is brought up, I attempt to ping the Cisco end. The ping fails. No traffic is passing through the VPN. I'm thinking the problem is with the policies on the VPN. Perhaps the VIPs need to be included in the addresses.
I have searched the internet and the Fortinet site and have failed to find documentation that addresses this type of configuration. The site to site Fortinet with overlapping subnets documents do not work. Can you provide some guidance on how to troubleshoot this problem?
Garry Glendown
You will need to set up NAT in both directions .... say you have a net 10.10.10.0/24 on either side of the tunnel. You will need to define a different net for either side, say 10.10.1.0/24 for one end, 10.10.2.0/24 for the other, then set up the Phase 2 to use those instead of the original network. On the one end, you use NAT to translate 10.10.10.0/24<->10.10.1.0/
Getting it to work will be a major PITA. Maintenance on the connection will be a major PITA. I strongly suggest looking at changing the subnets on one side or the other so that they don't overlap.
ASKER
I used this recently published document from Fortinet, and it appears to have fixed the problem:
http://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-overlapping-subnets-60/
The thing that was messing me up was when I pinged the remote site from the Fortigate CLI console, it would fail; it I pinged from a PC, it worked.
http://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-overlapping-subnets-60/
The thing that was messing me up was when I pinged the remote site from the Fortigate CLI console, it would fail; it I pinged from a PC, it worked.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.