How to work with overlapping subnets
A site-to-site VPN configuration sometimes has the problem that the private subnet addresses at each end are the same. You can resolve this problem by remapping the private addresses using virtual IP addresses (VIP).
VIPs allow computers on those overlapping private subnets to each have another set of IP addresses that can be used without confusion. The FortiGate unit maps the VIP addresses to the original addresses. This means if PC1 starts a session with PC2 at 10.31.101.10, FortiGate_2 directs that session to 10.11.101.10 — the actual IP address of PC2.The figure below demonstrates this — Finance network VIP is 10.21.101.0/24 and the HR network is 10.31.101.0/24.
Overlapped subnets example
Solution for route-based VPN
You need to:
- Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2. l Configure virtual IP (VIP) mapping:
- the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1 l the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2
- Configure an outgoing security policy with ordinary source NAT on both FortiGates. l Configure an incoming security policy with the VIP as the destination on both FortiGates. l Configure a route to the remote private network over the IPsec interface on both FortiGates.
To configure VIP mapping on both FortiGates
- Go to Policy & Objects > Virtual IPs and create a new Virtual IP.
- Enter the following information, and select OK:
| Name | Enter a name, for example, my_vip. | |||
| External Interface | Select FGT1_to_FGT2. The IPsec interface. | |||
| VIP Type | Depending on both FortiGates, select one of the following options:
l IPv4: If both FortiGates use IPv4 (Static NAT). l IPv6: If both FortiGates use IPv6 (Static NAT). l NAT46: Maps the IPv4 address into an IPv6 prefix. l NAT64: Maps the IPv6 address into an IPv4 prefix. |
|||
| External IP Address/Range | For the External IP Address field enter:
10.21.101.1 when configuring FortiGate_1, or 10.31.101.1 when configuring FortiGate_2. |
|||
| Mapped IP Address/Range | For the Mapped IP Address enter 10.11.101.1.
For the Range enter 10.11.101.254. |
|||
| Port Forwarding | Disable | |||
- Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the outbound security policy on both FortiGates
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information, and select OK:
| Incoming Interface | Select Port 1. |
| Outgoing Interface | Select FGT1_to_FGT2.
The IPsec interface. |
| Source | Select all. |
| Destination Address | Select all. |
| Action | Select ACCEPT |
| NAT | Enable NAT. |
- Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the inbound security policy on both FortiGates
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information, and then select OK:
| Incoming Interface | Select FGT1_to_FGT2. |
How to work with overlapping subnets
| Outgoing Interface | Select Port 1.
The IPsec interface. |
| Source | Select all. |
| Destination Address | Select my-vip. |
| Action | Select ACCEPT |
| NAT | Disable NAT. |
- Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the static route for both FortiGates
- Go to Network > Static Routes and create a new Route (or IPv6 Route as necessary).
- Enter the following information, and then select OK:
| Destination | Enter a subnet of 10.31.101.0/24 when configuring FortiGate_1. Enter a subnet of 10.21.101.0/24 when configuring FortiGate_2. |
| Device | Select FGT1_to_FGT2. |
| Gateway | Leave as default: 0.0.0.0. |
| Administrative Distance | Leave at default (10).
If you have advanced routing on your network, you may have to change this value. |
| Advanced Options | If you have advanced routing on your network, enable Advanced Options and enter a Priority. |
Solution for policy-based VPN
As with the route-based solution, users contact hosts at the other end of the VPN using an alternate subnet address. PC1 communicates with PC2 using IP address 10.31.101.10, and PC2 communicates with PC1 using IP address 10.21.101.10.
In this solution however, outbound NAT is used to translate the source address of packets from the
10.11.101.0/24 network to the alternate subnet address that hosts at the other end of the VPN use to reply. Inbound packets from the remote end have their destination addresses translated back to the 10.11.101.0/24 network.
For example, PC1 uses the destination address 10.31.101.10 to contact PC2. Outbound NAT on FortiGate_1 translates the PC1 source address to 10.21.101.10. At the FortiGate_2 end of the tunnel, the outbound NAT configuration translates the destination address to the actual PC2 address of 10.11.101.10. Similarly, PC2 replies to PC1 using destination address 10.21.101.10, with the PC2 source address translated to 10.31.101.10. PC1 and PC2 can communicate over the VPN even though they both have the same IP address.
You need to:
- Configure IPsec Phase 1 as you usually would for a policy-based VPN. l Configure IPsec Phase 2 with the use-natip disable CLI option. l Define a firewall address for the local private network, 10.11.101.0/24.
- Define a firewall address for the remote private network:
- Define a firewall address for 10.31.101.0/24 on FortiGate_1 l Define a firewall address for 10.21.101.0/24 on FortiGate_2
- Configure an outgoing IPsec security policy with outbound NAT to map 10.11.101.0/24 source addresses:
- To the 10.21.101.0/24 network on FortiGate_1 l To the 10.31.101.0/24 network on FortiGate_2
To configure IPsec Phase 2 – CLI
config vpn ipsec phase2 edit “FGT1_FGT2_p2” set keepalive enable set pfs enable set phase1name FGT1_to_FGT2 set proposal 3des-sha1 3des-md5 set replay enable set use-natip disable
end
In this example, your Phase 1 definition is named FGT1_to_FGT2. use-natip is set to disable, so you can specify the source selector using the src-addr-type, src-start-ip / src-end-ip or src-subnet keywords. This example leaves these keywords at their default values, which specify the subnet 0.0.0.0/0.
The pfs keyword ensures that perfect forward secrecy (PFS) is used. This ensures that each Phase 2 key created is unrelated to any other keys in use.
To define the local private network firewall address
- Go to Policy & Objects > Addresses and create a new Address.
- Enter the following information and select OK.
| Category | Set to Address. |
| Name | Enter vpn-local. A meaningful name for the local private network. |
| Type | Set to IP/Netmask. |
| Subnet / IP Range | 10.11.101.0 255.255.255.0 |
| Interface | Set to any. |
To define the remote private network firewall address
- Go to Policy & Objects > Addresses and create a new Address.
- Enter the following information, and select OK:
| Category | Set to Address. |
Testing
| Name | Enter vpn-remote. A meaningful name for the remote private network. |
| Type | Set to IP/Netmask. |
| Subnet / IP Range | 10.31.101.0 255.255.255.0 on FortiGate_1.
10.21.101.0 255.255.255.0 on FortiGate_2. |
| Interface | Any |
To configure the IPsec security policy
In the CLI on FortiGate_1, enter the commands:
config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “vpn-local” set dstaddr “vpn-remote” set action ipsec set schedule “always” set service “ANY” set inbound enable set outbound enable set vpntunnel “FGT1_to_FGT2” set natoutbound enable set natip 10.31.101.0 255.255.255.0
end
Optionally, you can set everything except natip in the web-based manager and then use the CLI to set natip.
Enter the same commands on FortiGate_2, but set natip be 10.21.101.0 255.255.255.0. Testing
The best testing is to look at the packets both as the VPN tunnel is negotiated, and when the tunnel is up.
Determining what the other end of the VPN tunnel is proposing
- Start a terminal program such as PuTTY and set it to log all output.
When necessary refer to the logs to locate information when output is verbose.
- Logon to the FortiGate unit using a super_admin account.
- Enter the following CLI commands.
- Display all the possible IKE error types and the number of times they have occurred:
diag vpn ike errors
- Check for existing debug sessions:
diag debug info
If a debug session is running, to halt it enter:
diag debug disable
- Confirm your proposal settings:
diag vpn ike config list
- If your proposal settings do not match what you expect, make a change to it and save it to force an update in memory. If that fixes the problem, stop here.
- List the current vpn filter:
diag vpn ike filter
- If all fields are set to any, there are no filters set and all VPN IKE packets will be displayed in the debug output. If your system has only a few VPNs, skip setting the filter.
If your system has many VPN connections this will result in very verbose output and make it very difficult to locate the correct connection attempt.
- Set the VPN filter to display only information from the destination IP address for example 10.10.10.10:
diag vpn ike log-filter dst-addr4 10.10.10.10
To add more filter options, enter them one per line as above. Other filter options are:
| clear | erase the current filter |
| dst-addr6 | the IPv6 destination address range to filter by |
| dst-port | the destination port range to filter by |
| interface | interface that IKE connection is negotiated over |
| list | display the current filter |
| name | the phase1 name to filter by |
| negate | negate the specified filter parameter |
| src-addr4 | the IPv4 source address range to filter by |
| src-addr6 | the IPv6 source address range to filter by |
| src-port | the source port range to filter by |
| vd | index of virtual domain. 0 matches all |
- Start debugging:
diag debug app ike 255 diag debug enable
- Have the remote end attempt a VPN connection.
If the remote end attempts the connection they become the initiator. This situation makes it easier to debug VPN tunnels because then you have the remote information and all of your local information. by initiate the connection, Testing
you will not see the other end’s information.
- If possible go to the web-based manager on your FortiGate unit, go to the VPN monitor and try to bring the tunnel up.
- Stop the debug output:
diag debug disable
- Go back through the output to determine what proposal information the initiator is using, and how it is different from your VPN P1 proposal settings.
Important terms to look for in VPN debug output
| initiator | Starts the VPN attempt, in the above procedure that is the remote end |
| responder | Answers the initiator’s request |
| local ID | In aggressive mode, this is not encrypted |
| error no SA proposal chosen | There was no proposal match — there was no encryption-authentication pair in common, usually occurs after a long list of proposal attempts |
| R U THERE
and R U THERE ack |
dead peer detection (dpd), also known as dead gateway detection — after three failed attempts to contact the remote end it will be declared dead, no farther attempts will be made to contact it |
| negotiation result | lists the proposal settings that were agreed on |
| SA_life_soft and SA_life_ hard | negotiating a new key, and the key life |
| R U THERE | If you see this, it means Phase 1 was successful |
| tunnel up | the negotiation was successful, the VPN tunnel is operational |