Site-to-site VPN with overlapping subnets
This is a sample configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located behind different FortiGates using a route-based tunnel with source and destination NAT.
In the following topology, both FortiGates (HQ and Branch) use 192.168.1.0/24 as their internal network, but both networks need to be able to communicate to each other through the IPsec tunnel.
New virtual subnets of equal size must be configured and used for all communication between the two overlapping subnets. The devices on both local networks do not need to change their IP addresses. However, the devices and users must use the new subnet range of the remote network to communicate across the tunnel.
Configuring the HQ FortiGate
To configure IPsec VPN:
- Go to VPN > IPsec Wizard and select the Custom template.
- Enter the name VPN-to-Branch and click Next.
- For the IP Address, enter the Branch public IP address (172.25.177.46), and for Interface, select the HQ WAN interface (wan1).
- For Pre-shared Key, enter a secure key. You will use the same key when configuring IPsec VPN on the Branch FortiGate.
- In the Phase 2 Selectors section, enter the subnets for the Local Address (10.1.1.0/24) and Remote Address (10.2.2.0/24).
- Optionally, expand Advanced and enable Auto-negotiate.
- Click OK.
To configure the static routes:
- Go to Network > Static Routes and click Create New.
- In the Destination field, enter the remote address subnet (10.2.2.0/24).
- For Interface, select the VPN tunnel you just created, VPN-to-Branch.
- Click OK.
- Create another route with the same Destination, but change the Administrative Distance to 200 and for Interface, select Blackhole. This is a best practice for route-based IPsec VPN tunnels because it ensures traffic for the remote FortiGate's subnet is not sent using the default route in the event that the IPsec tunnel goes down.
To configure the address objects:
- Go to Policy & Objects > Addresses and click Create New > Address.
- For Name, enter HQ-original.
- For IP/Netmask, enter the original LAN subnet of HQ (192.168.1.0/24).
- For Interface, select the LAN-side interface (internal).
- Click OK
- Create another address object named Branch-new, but for IP/Netmask, enter the new LAN subnet of Branch (10.2.2.0/24), and select the VPN interface (VPN-to-Branch).
To configure the IP pool:
- Go to Policy & Objects > IP Pools and click Create New.
- For Name, enter HQ-new.
- For Type, select Fixed Port Range.
- Enter the External IP address/range (10.1.1.1 – 10.1.1.254, the new HQ subnet) and Internal IP Range (192.168.1.1 – 192.168.1.254, the original HQ subnet).
- Click OK.
To configure the VIP:
- Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
- For Name, enter HQ-new-to-original.
- For Interface, select the VPN interface (VPN-to-Branch).
- Enter the External IP address/range (10.1.1.1 – 10.1.1.254, the new HQ subnet) and Mapped IP address/range (192.168.1.1 – 192.168.1.254, the original HQ subnet).
- Click OK.
To configure the firewall policy for traffic from HQ to Branch:
- Go to Policy & Objects > Firewall Policy and click Create New.
- For Name, enter From-HQ-to-Branch.
- For Incoming Interface, select the LAN-side interface (internal).
- For Outgoing Interface, select the VPN tunnel interface (VPN-to-Branch).
- For Source, select HQ-original.
- For Destination, select Branch-new.
- For Service, select ALL.
- Enable NAT.
- Select Use Dynamic IP Pool and select the HQ-new IP pool.
- Click OK.
To configure the firewall policy for traffic from Branch to HQ:
- Click Create New and for Name, enter From-Branch-to HQ.
- For Incoming Interface, select the VPN tunnel interface (VPN-to-Branch).
- For Outgoing Interface, select the LAN-side interface (internal).
- For Source, select Branch-new.
- For Destination, select the HQ-new-to-original VIP.
- For Service, select ALL.
- Disable NAT.
- Click OK.
Configuring the Branch FortiGate
To configure IPsec VPN:
- Go to VPN > IPsec Wizard and select the Custom template.
- Enter the name VPN-to-HQ and click Next.
- For the IP Address, enter the HQ public IP address (172.25.176.142), and for Interface, select the Branch WAN interface (wan1).
- For Pre-shared Key, enter the matching secure key used in the VPN-to-Branch tunnel.
- In the Phase 2 Selectors section, enter the subnets for the Local Address (10.2.2.0/24) and Remote Address (10.1.1.0/24).
- Optionally, expand Advanced and enable Auto-negotiate.
- Click OK.
To configure the static routes:
- Go to Network > Static Routes and click Create New.
- In the Destination field, enter the remote address subnet (10.1.1.0/24).
- For Interface, select the VPN tunnel you just created, VPN-to-HQ.
- Click OK.
- Create another route with the same Destination, but change the Administrative Distance to 200 and for Interface, select Blackhole.
To configure the address objects:
- Go to Policy & Objects > Addresses and click Create New > Address.
- For Name, enter Branch-original.
- For IP/Netmask, enter the original LAN subnet of Branch (192.168.1.0/24).
- For Interface, select the LAN-side interface (lan).
- Click OK
- Create another address object named HQ-new, but for IP/Netmask, enter the new LAN subnet of HQ (10.1.1.0/24), and select the VPN interface (VPN-to-HQ).
To configure the IP pool:
- Go to Policy & Objects > IP Pools and click Create New.
- For Name, enter Branch-new.
- For Type, select Fixed Port Range.
- Enter the External IP address/range (10.2.2.1 – 10.2.2.254, the new Branch subnet) and Internal IP Range (192.168.1.1 – 192.168.1.254, the original Branch subnet).
- Click OK.
To configure the VIP:
- Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
- For Name, enter Branch-new-to-original.
- For Interface, select the VPN interface (VPN-to-HQ).
- Enter the External IP address/range (10.2.2.1 – 10.2.2.254, the new Branch subnet) and Mapped IP address/range (192.168.1.1 – 192.168.1.254, the original Branch subnet).
- Click OK.
To configure the firewall policy for traffic from Branch to HQ:
- Go to Policy & Objects > Firewall Policy and click Create New.
- For Name, enter From-Branch-to-HQ.
- For Incoming Interface, select the LAN-side interface (lan).
- For Outgoing Interface, select the VPN tunnel interface (VPN-to-HQ).
- For Source, select Branch-original.
- For Destination, select HQ-new.
- For Service, select ALL.
- Enable NAT.
- Select Use Dynamic IP Pool and select the Branch-new IP pool.
- Click OK.
To configure the firewall policy for traffic from HQ to Branch:
- Click Create New and for Name, enter From-HQ-to-Branch.
- For Incoming Interface, select the VPN tunnel interface (VPN-to-HQ).
- For Outgoing Interface, select the LAN-side interface (lan).
- For Source, select HQ-new.
- For Destination, select the Branch-new-to-original VIP.
- For Service, select ALL.
- Disable NAT.
- Click OK.
To verify the communication across the tunnel:
- Go to Dashboard > Network and click the IPsec widget to expand to full screen view. The tunnels should be up on both FortiGates. If you did not enable Auto-negotiate in the IPsec VPN settings, you may have to select the tunnel and click Bring Up.
- From a PC on the HQ network, ping a PC on the Branch network using the new IP for the Branch PC. The ping should be successful.
- From a PC on the Branch network, ping a PC on the HQ network using the new IP for the HQ PC. The ping should be successful.