Site-to-Site with overlapping subnets

Author
SonnyMoore
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Status: offline
2017/11/27 02:56:47 (permalink)
0

Site-to-Site with overlapping subnets

Greetings,
 
I need to set up a IPSec site-to-site VPN between two FortiGates where a subnet exists on both sites.
 
Site A
Subnet #1 (10.3.10.0/24)
Subnet #2 (10.0.20.0/24)
 
Site B
Subnet #1 (10.0.20.0/24)
 
I need a tunnel between Site A, Subnet #1 and Site B, Subnet #1. However, an (unrelated) subnet with the same address 10.0.20.0/24 already exists on Site A.
 
I've managed to (semi-)successfully get this to work using Virtual IPs, but I want clients on Site A, Subnet #1 to be able to reach Site B, Subnet #1 with the normal IP 10.0.20.0/24, not an alternate Virtual IP. How do I go about solving this?
 
Thanks in advance.

Attached Image(s)

#1

3 Replies Related Threads

    Iescudero
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/01/21 13:34:23
    • Location: Buenos Aires, Argentina
    • Status: offline
    Re: Site-to-Site with overlapping subnets 2017/11/27 05:51:04 (permalink)
    0
    Hi there!
     
    I would try to config an a Policy Route in Site A
    src: 10.3.10.0/24
    Input device: lan
    dst: 10.0.20.0/24
    Output device: VPNToSiteB
     
    then add a new route to that VPN.
     
    And then a policy lan>VPNToSiteB but with no VirtualIP should work.
     
    This configuration means that all traffic from lan 10.3.10.0/24 going to 10.0.20.0/24 must goes through VPN Tunnel.
     
    Hope it Helps!
     
    #2
    AdamC
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/28 08:26:32
    • Location: TN USA
    • Status: offline
    Re: Site-to-Site with overlapping subnets 2017/11/28 11:52:22 (permalink)
    #3
    SonnyMoore
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Site-to-Site with overlapping subnets 2017/12/01 05:31:54 (permalink)
    0
    Hi again,
     
    I figured out how to reach Site B, Subnet #1 (10.0.20.0/24) from Site A, Subnet #1 (10.3.10.0/24) using the original IP (not alternate/VIP). What I needed was a VIP on Site A to translate 10.0.20.0/24 to 10.3.12.0/24 (the Virtual IP defined in Phase 2). On Site B, I have a VIP that translates 10.3.12.0/24 back to 10.0.20.0/24.
     
    The result is as desired, I am - from a machine on Site A, Subnet #1 (10.3.10.0/24) - able to reach a machine on Site B, Subnet #1 (10.0.20.0/24) using the original IP instead of the translated IP (10.3.12.0/24).
     
    Site A, Subnet #2 (10.0.20.0/24) is, as desired, unaffected by all of this.
     
    For reference, here is how the VIP on Site A looks:
     
    edit "VIP1"
    set uuid 3b5e2e98-d699-51e7-e28c-3303faa95aab
    set extip 10.0.20.1-10.0.20.254
    set extintf "lan1"
    set mappedip "10.3.12.1-10.3.12.254"
    next
     
    (Note that extintf must be explicitly defined to the interface that Site A, Subnet #1 (10.3.10.0/24) resides at, setting it to "any" would not work and would conflict with Site A, Subnet #2 (10.0.20.0/24).)
     
    However, I then encountered another issue. I have another subnet (on another interface 'lan2') on Site A that I also want to include in this, meaning it should also be able to reach Site B, Subnet 1 (10.0.20.0/24) using the original, non-translated IP. I was thinking that to solve this, I would simply create an identical VIP but with the extintf parameter set to lan2 instead of lan1, like this:
     
    edit "VIP2"
    set uuid 27f8ac56-c0e7-51e7-2318-2eda07940015
    set extip 10.0.20.1-10.0.20.254
    set extintf "lan2"
    set mappedip "10.3.12.1-10.3.12.254"
    next
     
    This does not work, as apparently defining two VIPs with the same "External IP/Address Range" gives a "A duplicate entry already exists" error (even though they are bound to separate extintf's).
     
    I hope all of this made sense, and would love any input on how I can possibly solve this.
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5