Helpful ReplyHot!Fortigate 90E / Virtual network ?

Author
johnwillsmith
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/12 08:03:58
  • Status: offline
2018/06/12 09:06:13 (permalink) 5.4
0

Fortigate 90E / Virtual network ?

Hello,


I need to create a VPN between our agency (using Fortigate 90E) and an external consulting company (using Cisco router). There would be no problem to create the S2S VPN between the two sites, except that our subnet is already known by the consulting company (192.168.1.0/24). So I can't create it for the moment.
Therefore, they asked me to set up a NAT or an equivalent technical solution for the VPN connection in order to be able to make appear our network like 192.168.7.0/24 or other, so that it does not come into conflict with the subnet 192.168.1.0/24 already known at external consulting company.  
 
I joined a diagram to understand the desired topology.

I do not know if it's very complicated or very simple, I may be missing the technical solution but I wanted to know if you had any idea about this implementation on an UTM Fortigate 90E.
 
Thank you in advance.

Attached Image(s)

#1
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/12 09:21:36 (permalink) ☄ Helpfulby johnwillsmith 2018/06/13 08:42:09
0
Hi John,
 
There is a document to explain the concept of resolving overlapping subnet over IPSEC vpn.
 
http://cookbook.fortinet.com/vpn-overlapping-subnets/
 
Please take a look before we could move forward. Thanks!
#2
sw2090
Gold Member
  • Total Posts : 234
  • Scores: 10
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/12 23:37:38 (permalink) ☄ Helpfulby johnwillsmith 2018/06/13 08:42:16
0
Yes but keep in mind that this coobook doc will only apply to firmware up to 5.2.5.
Ich you have 5.4.x or later on your 90E it won't work out. In this case use http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=24658171&stateId=1%200%2024656671 instead! I also mentioned that in the commentary section on the kb doc when I ran into that issue and the author confirmed that.
#3
johnwillsmith
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/12 08:03:58
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/13 08:41:35 (permalink)
0
Hello,
 
Thank you for this solution. I better understand what was my problem. I set my router this afternoon in this direction and I'm waiting for return of the other company to find out if it works.
I'll keep you informed.
Thanks again.
 
John w.smith.
#4
Asus
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/18 22:44:01
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/19 04:32:17 (permalink)
0
Hi Smith
 
kindly update how did you resolve this issue 
I am new to this FortiGate right now I have doubt you have tried Site to Site VPN you have faced same subnet issue  
why don't you try site to client VPN have to tried it means what kind of issue you have been faced let me know to educate myself  
post edited by SriramPrakash - 2018/06/19 04:35:23

Thanks & Regards
Asus
#5
johnwillsmith
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/12 08:03:58
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/21 07:31:37 (permalink)
0
Hello,

The problem is not yet solved. We have managed to create the VPN tunnel (VPN tunnel is UP) but the communication is established for the moment only in one direction (from them to us). The ping works well from them to us but no packets transferred from us to their direction.

I asked them for a pingable address to understand why it does not work.
Regards,
John.

Attached Image(s)

#6
sw2090
Gold Member
  • Total Posts : 234
  • Scores: 10
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/22 06:49:04 (permalink)
0
Good to hear you got the VPN to work.
 
Do you have all required policies on both sides?
Oh and you have to use the VIP IPs to ping in _both_ directions.
Ping from there to you has to use your vip ip and if you want to ping them you have to use there vip ip.
All IPs in the subnet on each sides will be mapped to the corresponding vip subnet.
 
To use the image you attached before:
 
network_1 is 192.168.1.0/24 VIP'ed to 192.168.4.0/24
network_2 is 192.168.1.0/24 VIP'erd to 10.10.30.0/24
 
So if you want to ping 192.168.1.10 on network_1 from network_2 you have to ping 10.10.30.10 instead!
If you want to ping 192.168.1.10 on networtk_2 from network_1 you have to ping 192.168.4.10 instead!
 
You don't need to worry about the mapping...your vip on the FGT does that for you automagically ;)
#7
rwpatterson
Expert Member
  • Total Posts : 8299
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Fortigate 90E / Virtual network ? 2018/06/22 12:51:01 (permalink)
0
A quick test: Run a traceroute and see where the traffic goes.
 
The right way would be to sniff the tunnel port or run a debug flow trace.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#8
johnwillsmith
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/12 08:03:58
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/29 04:50:47 (permalink)
0
Hello,
Thank you all for your answers ! Indeed the VPN is working but the problem is no longer a problem of firewall rules I think. Our partner is trying to ping an IP address (1.16) that is on the same sub-network as ours (which exists on their side too). when they ping, it is not our 1.16 server (on our side) that responds, but the 1.16 on their sub-network 192.168.1.0/24 on their side.

I also launched a debug mode on this specific VPN but as the VPN is established, I do not necessarily encounter any error.

I asked them to be able to ping to their network or to perform a traceroute on a machine. I do not know if the problem comes from my UTM, their side (rules) or their configuration.
I'm waiting for their return.

I put the picture already posted up to date.
 
Thank you in advance.
 
John
 

Attached Image(s)

#9
sw2090
Gold Member
  • Total Posts : 234
  • Scores: 10
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Fortigate 90E / Virtual network ? 2018/06/29 05:51:22 (permalink)
0
Yes that's exactly what it does.
They have to have vip on their side too like described in the document I mentioned.
And then if they want to ping something on your side they have to use the corresponding vip ip addresss.
 
E.g.:
 
if your net is vip'ed to 10.1.1.0/24 on their side and they want to ping 192.168.1.16 on your side they have to ping the vip ip which would then be 10.1.1.16 instead . 
The same goes if they want to access anything on your side via ip-addresses. 
 
hth
Sebastian
#10
Jump to:
© 2018 APG vNext Commercial Version 5.5