Site-to-site VPN with overlapping subnets

This is a sample configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located behind different FortiGates using a route-based tunnel with source and destination NAT.

In the following topology, both FortiGates (HQ and Branch) use as their internal network, but both networks need to be able to communicate to each other through the IPsec tunnel.

New virtual subnets of equal size must be configured and used for all communication between the two overlapping subnets. The devices on both local networks do not need to change their IP addresses. However, the devices and users must use the new subnet range of the remote network to communicate across the tunnel.

Configuring the HQ FortiGate
To configure IPsec VPN:
  1. Go to VPN > IPsec Wizard and select the Custom template.
  2. Enter the name VPN-to-Branch and click Next.
  3. For the IP Address, enter the Branch public IP address (, and for Interface, select the HQ WAN interface (wan1).
  4. For Pre-shared Key, enter a secure key. You will use the same key when configuring IPsec VPN on the Branch FortiGate.
  5. In the Phase 2 Selectors section, enter the subnets for the Local Address ( and Remote Address (
  6. Optionally, expand Advanced and enable Auto-negotiate.
  7. Click OK.
To configure the static routes:
  1. Go to Network > Static Routes and click Create New.
  2. In the Destination field, enter the remote address subnet (
  3. For Interface, select the VPN tunnel you just created, VPN-to-Branch.