FortiGate Site-to-Site IPsec VPN with Overlapping Subnets

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
we welcome you to this tutorial on setting up a site to cite ipsec VPN between two locations with overlapping subnets from the network topology both sites have exactly the same local network address of 10.1.1.0 24. but we need to allow communication between these two networks via the ipsec VPN tunnel routing traffic over the ipsec VPN to the remote side poses a challenge since both the local and remote networks have overlapping subnets the way to go about this is to introduce two different subnets one at each location 192.168.100.0 24 at location a and 192.168.200.0 24 at location B in this tutorial we will refer to the overlapping networks as local networks and the new networks as foreign Networks the foreign networks must have the same number of IP addresses as the local networks with this the 240 Gates will use NAD to map the local and foreign IP addresses for both inbound and outbound communication the local IP address of a packet leaving site a will be Source netted to a foreign IP on fortigate a and the destination IP of this packet will be the remote for an IP representing the local IP at site B this upon arriving on fortigate B will be destination netted now it's time to configure as usual let's check connectivity between the two firewalls we will begin the configuration on fortigate a enter a name for the VPN enter the pre-shared key we will use Ike version 2. choose the required Phase 1 proposals we do not recommend the use of Des and sha-1 in a production environment enter the local and remote addresses for the encryption domain these will be the foreign networks not the local networks optionally enable auto negotiate we are done with the ipsec VPN tunnel configuration next is static route the destination prefix will be the foreign Network the purpose of the black hole route is to ensure that when the ipsec tunnel is down traffic to the remote end is silently dropped instead of using a default route on the fortigate finally we will configure firewall policies for bi-directional flow we will configure two firewall rules one for inbound traffic and the other for outbound traffic for inbound traffic The Source address will be the remote foreign Network and the destination address will be the local foreign Network this will be configured as a virtual IP which will net the local foreign Network to the local network remember to disable net regarding the outbound firewall Rule The Source address will be the local address and the destination address will be that of the remote foreign Network the NAT type in this case should be fixed Port range optionally we will assign an IP address to the VPN tunnel interface continuing the configuration on fortigate V2 the pre-shared key in both Phase 1 and Phase 2 parameters must match on both gateways for the phase 2 selectors the local and remote addresses should be the reverse of what was entered on the remote peer remember these are the foreign addresses checking if the tunnel is up yes it is up from the workstation at side a let's ping the other PC at site B it has a local IP address of 10.1.1.00 so we'll ping its corresponding foreign IP which is 192.168.200.00 checking some VPN details again to confirm that traffic is traversing the ipsec tunnel let's shut down the tunnel interface and see if there will still be connectivity congratulations you have successfully configured on fortigate a site-to-site ipsec VPN with overlapping subnets thanks for watching our tutorial if you have any questions or need further assistance please feel free to leave a comment below don't forget to subscribe to our channel for more helpful tutorials see you next time
Info
Channel: Verifine Academy
Views: 3,752
Rating: undefined out of 5
Keywords: FortiGate, IPsec VPN, FortiGate IPsec, FortiGate IPsec Loopback, IPsec with Loopback Interface, Site-to-Site IPsec Loopback Interface, FortiGate Site-to-Site VPN, FortiGate IPsec VPN, Site-to-Site VPN with Loopback, IPsec VPN with Loopback
Id: suNX-T66u_o
Channel Id: undefined
Length: 14min 54sec (894 seconds)
Published: Thu May 11 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.