Hot!Site-to-site IPsec VPN with overlapping subnets

Author
Fabien_34
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/31 01:27:30
  • Status: offline
2018/06/07 06:14:18 (permalink) 5.4
0

Site-to-site IPsec VPN with overlapping subnets

Hello,

I am trying to setup site-to-site IPSec tunnels with two customers. Problem : they use the same subnet (common problem when establishing VPN tunnels).

Diagram :
 

 
The configuration related to the customer Y tunnel :
 
Phase 1 :
 
config vpn ipsec phase1-interface
edit "VPN_Y"
set interface "VPN_INTERCO-OUT"
set local-gw 46.235.xxx.xxx
set peertype any
set proposal aes128-sha1 3des-sha1
set comments "C00000843"
set dhgrp 2
set remote-gw 46.235.yyy.yyy
set psksecret ENC 22Qlkt[...]==
next
end
 
Phase 2 :
 
config vpn ipsec phase2-interface
edit "VPN_Y"
set phase1name "VPN_Y"
set proposal aes128-sha1 3des-sha256
set dhgrp 2
set keylifeseconds 3600
set src-subnet 10.240.250.8 255.255.255.255
set dst-subnet 10.93.1.0 255.255.255.0
next
end
 
NAT source :
 
config firewall ippool
edit "NAT_SOURCE_VPN_Y"
set startip 10.240.250.8
set endip 10.240.250.8
next
end
 
NAT destination :
 
config firewall vip
edit "NAT_DEST_Y_LAN"
set uuid d23e818a-4ee1-51e8-9896-d94d9ae7ad2b
set extip 10.129.7.1-10.129.7.254
set extintf "VPN_INTERCO-IN"
set mappedip "10.93.1.1-10.93.1.254"
next
end
 
Static routes :
 
config router static
edit 21
set dst 10.93.1.0 255.255.255.0
set distance 5
set device "VPN_Y"
set comment "NET_Y_LAN"
next
end
 
Firewall policy :
 
config firewall policy
edit 13
set name "VPN_Y"
set uuid 31e63b7a-47ce-51e8-cf55-ad237dab5cbf
set srcintf "VPN_INTERCO-IN"
set dstintf "VPN_Y"
set srcaddr "GRP_NET _MGT"
set dstaddr "NAT_DEST_Y_LAN"
set action accept
set schedule "always"
set service "GRP_ADMIN"
set logtraffic all
set nat enable
set ippool enable
set poolname "NAT_SOURCE_VPN_Y"
next
end
 
The configuration related to the customer Z tunnel :
 
Phase 1 :
 
config vpn ipsec phase1-interface
edit "VPN-Z"
set interface "VPN_INTERCO-OUT"
set local-gw 46.235.xxx.xxx
set peertype any
set proposal aes128-sha1 3des-sha1
set dhgrp 2
set remote-gw 46.235.zzz.zzz
set psksecret ENC 0ZmB1d[...]==
next
end
 
Phase 2 :
 
config vpn ipsec phase2-interface
edit "VPN-Z"
set phase1name "VPN-Z"
set proposal aes128-sha1 3des-sha1
set dhgrp 2
set keylifeseconds 3600
set src-subnet 10.240.250.100 255.255.255.255
set dst-subnet 10.93.1.0 255.255.255.0
next
end
 
NAT source :
 
config firewall ippool
edit "NAT_SOURCE_VPN_Z"
set startip 10.240.250.100
set endip 10.240.250.100
next
end
 
NAT destination :
 
config firewall vip
edit "NAT_DEST_Z_LAN"
set uuid d7f36d5c-69a3-51e8-db84-0f401ccfe465
set extip 10.129.100.1-10.129.100.254
set extintf "VPN_INTERCO-IN"
set mappedip "10.93.1.1-10.93.1.254"
next
end
 
Static routes :
 
config router static
edit 22
set dst 10.93.1.0 255.255.255.0
set device "VPN-Z"
set comment "VPN-Z"
next
end
 
Firewall policy :
 
config firewall policy
edit 15
set name "VPN-Z"
set uuid b26c4fc6-69a4-51e8-cfbd-416ac9af4bfe
set srcintf "VPN_INTERCO-IN"
set dstintf "VPN-Z"
set srcaddr "all"
set dstaddr "NAT_DEST_Z_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "NAT_SOURCE_VPN_Z"
next
end
 
The customer Y tunnel is up and running.
 
Tunnel Z is down (I do not have an admin account on this firewall, so no CLI logs - VPN Events says that phase 1 is ok, nothing about the phase 2)
 
Some thoughts :
- Destination network of the two routes (tunnel Y and Z) are the same, this may be the cause of the problem
- The Fortinet cookbook Site-to-site IPsec VPN with overlapping subnets indicate a route with the external network ("NAT") as destination. I tried this, but the Y tunnel is not working with this route. I have to configure the mapped ("real") network as destination. I do not understand why it does not work as the routing is done after the destination NAT (see packet flow diagram below - source).
- I thought about using policy-based tunnel but the source NAT option is not available if the "IPsec" action is selected (source NAT is possible only with the Accpet et Learn options)
- I also thought about using policy-basded routing but it looks impossible to me because the source NAT is done after the routing
 
Any help you can give will be greatly appreciated...
 

post edited by Fabien_34 - 2018/06/07 07:02:24
#1

9 Replies Related Threads

    Iescudero
    Silver Member
    • Total Posts : 103
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/01/21 13:34:23
    • Location: Buenos Aires, Argentina
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/07 08:17:31 (permalink)
    0
    Hi there!
    You can solve this by changing this in each peer:
     
    set src-subnet 0.0.0.0 0.0.0.0
    set dst-subnet 0.0.0.0 0.0.0.0
     
    Then you can use routes (as you already mentioned) to control traffic and policys to control access.
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1170
    • Scores: 66
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/07 10:16:40 (permalink)
    0
    What is your objective setting up two VPNs with two locations where they have the same subnet? Do you really need to reach each devices at the customer locations from your end, or they need to reach common resources at your location X? Obviously you can't have the remote subnet 10.93.1.0/24 exposed in your local FGT. How do you or FGT differenciate a device 10.93.1.10 at location Y from another 10.93.1.10 device at location Z to send packets into the tunnel? You need to use VIPs to have different subnet/IPs to specify each device that has the same local IP. But if only customer side needs to reach your common resources, the remote FGTs need just SNAT.
     
     
    #3
    ericli_FTNT
    Gold Member
    • Total Posts : 127
    • Scores: 4
    • Reward points: 0
    • Joined: 2018/02/08 11:12:27
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/07 10:24:56 (permalink)
    0
    Hi Fabien,
     
    Your design can't meet your requirement because if you need to access to two branches, you would need to create TWO interfaces facing to each branch and apply VIP on it.
     
    Later I would reproduce your scenario and post with sample config. Get back to you soon.
    #4
    Fabien_34
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/05/31 01:27:30
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/07 10:55:07 (permalink)
    0
    Thanks to all for your messages.
     
    @ lescudero :
    Thanks for your help, but according to me it will not change the routes issue (two routes with the same destination, as I can only route the mapped network).
     
    @ Toshi :
    What is your objective setting up two VPNs with two locations where they have the same subnet?

    Yes.
    Do you really need to reach each devices at the customer locations from your end, or they need to reach common resources at your location X?

    We need to reach each devices at the customer locations from our end.
    Obviously you can't have the remote subnet 10.93.1.0/24 exposed in your local FGT. How do you or FGT differenciate a device 10.93.1.10 at location Y from another 10.93.1.10 device at location Z to send packets into the tunnel?

    Exactly.
    You need to use VIPs to have different subnet/IPs to specify each device that has the same local IP.

    That's done, I use one VIP for each VPN :

    config firewall vip
    edit "NAT_DEST_Y_LAN"
    set extip 10.129.7.1-10.129.7.254
    set mappedip "10.93.1.1-10.93.1.254"

    config firewall vip
    edit "NAT_DEST_Z_LAN"
    set extip 10.129.100.1-10.129.100.254
    set mappedip "10.93.1.1-10.93.1.254"

    But what about the routes ? Routing the VIP External network (i.e. 10.129.x.0/24) into the VPN tunnel does not work according to my tests. If I have to route the mapped network (i.e. 10.93.1.0/24), the two route will have the same destination. That's the problem.
    But if only customer side needs to reach your common resources, the remote FGTs need just SNAT.

    Unfortunately we need to reach each devices at the customer locations from our end.
     
    @ ericli_FTNT
    Not sure to understand your point.
    1. The VIP are applied to the incoming interface ("VPN_INTERCO-IN"). According to the packet flow diagram, the destination NAT is done before the routing. So I should be able to use Externat network (i.e. 10.129.x.0/24) in my routes - but only routes using mapped network (i.e. 10.93.1.0/24) works.
    2. I tried to apply the VIP to the tunnel interfaces. I can do that, but after I can not chosse the VIP as destination in my policy !
    post edited by Fabien_34 - 2018/06/07 10:59:31
    #5
    ericli_FTNT
    Gold Member
    • Total Posts : 127
    • Scores: 4
    • Reward points: 0
    • Joined: 2018/02/08 11:12:27
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/07 11:00:09 (permalink)
    0
    For overlapping subnets, FGT needs to differentiate them anyway. In this case, it's done by NAT on different phase1 interfaces.
     
    On each phase 1 interface, for one subnet, you can only apply one VIP.
     
    You can't apply two different VIP on one interface, mapped to one same subnet.
     
    The cookbook's sample is one to one, so there is only one interface. If you need to build a hub-spoke structure, you need more interfaces.
     
    I'm working on your case now. I will post my config asap.
    post edited by ericli_FTNT - 2018/06/07 14:09:22
    #6
    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/07 11:58:36 (permalink)
    0

    Routing the VIP External network (i.e. 10.129.x.0/24) into the VPN tunnel does not work according to my tests

     
    1: Place the VIP at the two remote firewalls
     
    2: place static route for the 2x VIP /24 using the correct phase1-interface tunnel name
     
    4: place the 2x /24 in the correct phase2-interface  dst-subnets
     
    4: apply fwpolicies
     
    It's really not that hard. All traffic exting your network to  either  10.129.7.0/24 10.128.100.0/24 will go thru the correct tunnel
     The last issues you have the SNAT of the pools need to be called  up in the firewall. So make sure to check that  use diag debug flow  for any diagnostics
     
    if you still have problems post the cfg for us to peer-review. In the long run it might be better to reconfigure one of the remote-sites networks imho. A little work now, will save you  much latter work , problem and grief )
    ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #7
    Fabien_34
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/05/31 01:27:30
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/08 06:41:06 (permalink)
    0
    Hello emnoc,

    I forgot to mention one important point: the two remote firewalls are very basic (VMWare NSX Edge). They can not do nay NAT (source or destination) for tunneled traffic. The source NAT and the destination NAT have to be done on the Fortinet. And I have accomplished this using IP Pool (source NAT) and VIP (destination NAT). The only remlaining problem is with the two routes : is there a way of using the external network instead of the mapped network as destination?
    #8
    ericli_FTNT
    Gold Member
    • Total Posts : 127
    • Scores: 4
    • Reward points: 0
    • Joined: 2018/02/08 11:12:27
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/08 09:39:17 (permalink)
    0
    Fabien_34
    Hello emnoc,

    I forgot to mention one important point: the two remote firewalls are very basic (VMWare NSX Edge). They can not do nay NAT (source or destination) for tunneled traffic. The source NAT and the destination NAT have to be done on the Fortinet. And I have accomplished this using IP Pool (source NAT) and VIP (destination NAT). The only remlaining problem is with the two routes : is there a way of using the external network instead of the mapped network as destination?




    So you need two interfaces to build VPN going to two customers. On two VPN interfaces, you can do NAT to convert two same subnets from two different interfaces to two different subnets.
    #9
    sw2090
    Gold Member
    • Total Posts : 202
    • Scores: 10
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Site-to-site IPsec VPN with overlapping subnets 2018/06/12 23:40:18 (permalink)
    0
    Just because there was annother thread about this in this forum ;)
    There is an official document on that issue which is to be found here: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=24658171&stateId=1%200%2024656671
     
    #10
    Jump to:
    © 2018 APG vNext Commercial Version 5.5