Site-to-site IPsec VPN with overlapping subnets

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe describes how to construct a site-to-site IPsec VPN connection between two networks with overlapping subnets, such that traffic will be directed to the correct address on the correct network, using Virtual IP addresses and static routes.

1. Create the IPsec VPN tunnel on FGT_1

Go to VPN > IPsec > Wizard.

Select Site to Site – FortiGate. Give it an appropriate Name and click Next.

Set Remote Gateway to the IP address used by the Internet-facing interface of FGT_2. The Outgoing Interface will automatically populate.

Enter a Pre-shared key and click Next.

Set Local Interface to your Internet-facing interface. The Local Subnets will automatically populate. Set Remote Subnets to the VIP of the internal network for FGT_2 (10.31.101.0/24) and click Create.
The VPN Wizard automatically creates the required objects, policies, and static route required for the tunnel to function properly.
You can verify the policy creation under Policy & Objects > Policy > IPv4.

2. Add the Virtual IP Range on FGT_1

Go to Policy & Objects > Objects > Virtual IPs and create a Virtual IP range to redirect the traffic to the correct subnet.

Select Virtual IP from the Create New drop down menu. Select IPv4 for the VIP Type and give the VIP an appropriate name.

Set the Interface to the IPsec VPN Site to Site interface from the drop down menu.

Set External IP Address/Range to a range in the subnet you will be redirecting from (10.21.101.1 – 10.21.101.254) and Mapped IP Address/Range to the internal network range (192.168.1.1 – 192.168.1.254).

Select OK.

3. Create the IPsec VPN tunnel on FGT_2 

Go to VPN > IPsec > Wizard.

Select Site to Site – FortiGate. Give it an appropriate Name and click Next.

 

Set Remote Gateway to the IP address used by the Internet-facing interface of FGT_1. The Outgoing Interface will automatically populate.

Enter a Pre-shared key and click Next.

Set Local Interface to your Internet-facing interface. The Local Subnets will automatically populate. Set Remote Subnets to the VIP of the internal network for FGT_1 (10.21.101.0/24) and click Create.

The VPN Wizard automatically creates the required objects, policies, and static route required for the tunnel to function properly.

As before, you can verify the policy creation under Policy & Objects > Policy > IPv4.

4. Add the Virtual IP Range on FGT_2

Go to Policy & Objects > Objects > Virtual IPs and create a Virtual IP range to redirect the traffic to the correct subnet.

Select Virtual IP from the Create New drop down menu. Select IPv4 for the VIP Type and give the VIP an appropriate name.

Set Interface to the IPsec VPN Site to Site interface from the drop down menu.

Set External IP Address/Range to a range in the subnet you will be redirecting from (10.31.101.1 – 10.31.101.254) and Mapped IP Address/Range to the internal network range (192.168.1.1 – 192.168.1.254).

Select OK.

5. Results

Go to VPN > Monitor > IPsec Monitor. Right-click on the Site to Site VPN and select Bring Up.

You will be able to see Incoming and Outgoing Data in the IPsec Monitor.

 

 

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No