Hot!Conflicts with existing local subnet

Author
kimrdk
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/28 00:26:10
  • Location: Denmark
  • Status: offline
2019/06/18 05:17:17 (permalink)
0

Conflicts with existing local subnet

Hi forum :-)
 
My local Fortigate have a few different interfaces set up. I'm now trying to set up VPN connection between my firewall and another 3-party firewall which I don't have control over (unifi edgerouter lite).
 
Issue is that the other ends subnet overlaps with one of my local subnets.
 
I'm trying to set up the VPN between my "DMZ" interface which not overlaps with the other site. Only my LAN interfaces does, and that won't be used in this VPN connection.
 
I have seen https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Gtwy_Gtwy_Config/How_to_Work_Overlapping_Subnets.htm but that's not exactly my situation.
 
Best Regards
Kim
#1
kimrdk
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/28 00:26:10
  • Location: Denmark
  • Status: offline
Re: Conflicts with existing local subnet 2019/06/18 07:17:54 (permalink)
0
I've also found: https://forum.fortinet.com/tm.aspx?m=154954
But I may not be able to NAT anything at the other end.
I'll look into Policy routing, if there isn't any other way around this.
#2
Toshi Esumi
Expert Member
  • Total Posts : 1652
  • Scores: 139
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Conflicts with existing local subnet 2019/06/18 10:01:14 (permalink)
0
The first option is to re-subnet either local or remote LAN to avoice the conflict, which is probably not an option.
 
The second option, which would be the best but might not be the easiest, is to ask the 3rd party on the other end to SNAT their overlapping source IPs/subnet. Otherwise, routing problem happens on the local end when you try routing into the tunnel while the destination exist locally. You don't need NAT on the local side since the remote end doesn't need to reach the destinations that are overlapping.
 
Although the above second option should be relatively easy to be implemented with any FWs, if it's absolutely not an option for political, financial, or whatever the reason is the second option is to separate DMZ into a vdom and set the tunnel from the DMZ vdom. Then you have to set up SNAT on the local lan vdom to avoid the routing conflict when DMZ needs to route to both tunnel destinations and the vdom-link to the local lan destinations.
 
 
#3
kimrdk
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/28 00:26:10
  • Location: Denmark
  • Status: offline
Re: Conflicts with existing local subnet 2019/06/19 01:48:05 (permalink)
0
What about policy routing, can I configure all traffic from this one device on my local "DMZ" interface to the overlapping subnet, to go though the VPN tunnel?
#4
Toshi Esumi
Expert Member
  • Total Posts : 1652
  • Scores: 139
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Conflicts with existing local subnet 2019/06/19 08:41:16 (permalink)
0
I haven't tried policy routes against locally connected routes. Wait for somebody else to chime in.
#5
Jump to:
© 2019 APG vNext Commercial Version 5.5