Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lafer
New Contributor

Route multiple subnets through IPSEC VPN tunnel w/ only one local network configured

Hello,

 

I have a Fortigate 100D w/ an IPSEC tunnel to a vendor. Currently one local network is configured (10.x.x.x/24). We are planning on adding a wireless subnet w/ different IP scheme of 192.x.x.x/24 which needs access across the VPN. For various reasons the vendor on the other end cannot add this new network as a remote network on their Cisco endpoint. 

 

The IPSEC tunnel is interface-based. Would it be as simple as to use the 'set nat-ip' option in the wireless --> VPN policy to NAT the 192.x.x.x IP to an IP on the existing (10.x.x.x) network? If so does it matter if this IP is already being used by something else (e.g. the firewall's interface IP on that subnet, or a PC on the 10.x.x.x network?)

 

2 REPLIES 2
ede_pfau
Esteemed Contributor III

To apply source NAT (which is needed for this), create an IP pool, and specify NAT with IP pool in the policy WiFi -> tunnel.

This address should not be used elsewhere in the 10.x.x.x subnet to be unambiguous. The remote side cannot tell whether traffic is coming from an original 10.x.x.x host or a NATted WiFi host then, so no changes to the Quick Mode settings of your VPN.

 

The 'set-nat-ip' option is IMHO irrelevant here (context is policy-based VPN).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

ede_pfau wrote:
This address should not be used elsewhere in the 10.x.x.x subnet to be unambiguous.

This point cannot be stressed highly enough. Once an address is defined in an IP pool, it cannot be used anywhere else on that FGT unit (Except for NATting an outbound policy or VPN tunnel). Even if simply sitting unused in an IP pool, that IP/subnet will turn into a black hole. All references to it in policies and such will cease to function, so be careful with how wide you make this IP pool. A single IP in the range is usually enough to get the job done.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors