Article Id
194113
Article
| Introduction |
This article describes how to create a VPN between hosts on two private networks that use the same subnet addresses. This is also called an overlapping subnet configuration. In FortiOS v2.80 this problem was resolved with IPSec virtual IP (VIP) addresses.
See also the related article "IPSec VPN with virtual IP for overlapped subnets (v3.0)".
In FortiOS v3.0, there are no IPSec VIPs. Instead, you create for the remote host a proxy ARP table entry and a static host route. This requires the use of an interface-based VPN, a new feature in FortiOS v3.0. |
| Components | The sample configuration uses FortiGate Antivirus Firewalls running FortiOS v3.00. |
| Network Diagram |
 |
| Prerequisites | The configuration is based on the following assumptions
|
| Configuration: FortiGate_1 | config system interface
edit "port1"
set ip 192.168.4.199 255.255.255.0
set allowaccess ping https
next
edit "port2"
set ip 64.114.95.202 255.255.255.128
next
end
config system proxy-arp
edit 1
set interface "port1"
set ip 192.168.4.1
next
end
config vpn ipsec phase1-interface
edit "2fw2p1"
set interface "port2"
set dpd enable
set nattraversal enable
set proposal 3des-sha1 3des-md5
set remote-gw 64.114.95.203
set psksecret 123456
next
end
config vpn ipsec phase2-interface
edit "2fw2p2"
set keepalive enable
set pfs enable
set phase1name "2fw2p1"
set proposal 3des-sha1 3des-md5
set replay enable
next
end
config firewall address
edit "all"
next
edit "ipsecsrc"
set subnet 192.168.4.0 255.255.255.0
next
edit "ipsecdst"
set subnet 192.168.4.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf "port1"
set dstintf "2fw2p1"
set srcaddr "ipsecsrc"
set dstaddr "ipsecdst"
set action accept
set schedule "always"
set service "ANY"
next
edit 2
set srcintf "2fw2p1"
set dstintf "port1"
set srcaddr "ipsecdst"
set dstaddr "ipsecsrc"
set action accept
set schedule "always"
set service "ANY"
next
end
config router static
edit 1
set device "port2"
set gateway 64.114.95.254
next
edit 2
set device "2fw2p1"
set dst 192.168.4.1 255.255.255.255
next
end |
| Configuration: FortiGate_2 | config system interface
edit "port1"
set ip 192.168.4.99 255.255.255.0
set allowaccess ping https
next
edit "port2"
set ip 64.114.95.203 255.255.255.128
next
end
config system proxy-arp
edit 1
set interface "port1"
set ip 192.168.4.11
next
end
config vpn ipsec phase1-interface
edit "2fw1p1"
set interface "port2"
set dpd enable
set nattraversal enable
set proposal 3des-sha1 3des-md5
set remote-gw 64.114.95.202
set psksecret 123456
next
end
config vpn ipsec phase2-interface
edit "2fw1p2"
set keepalive enable
set pfs enable
set phase1name "2fw1p1"
set proposal 3des-sha1 3des-md5
set replay enable
next
end
config firewall address
edit "all"
next
edit "ipsecsrc"
set subnet 192.168.4.0 255.255.255.0
next
edit "ipsecdst"
set subnet 192.168.4.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf "port1"
set dstintf "2fw1p1"
set srcaddr "ipsecsrc"
set dstaddr "ipsecdst"
set action accept
set schedule "always"
set service "ANY"
next
edit 2
set srcintf "2fw1p1"
set dstintf "port1"
set srcaddr "ipsecdst"
set dstaddr "ipsecsrc"
set action accept
set schedule "always"
set service "ANY"
next
end
config router static
edit 1
set device "port2"
set gateway 64.114.95.254
next
edit 2
set device "2fw1p1"
set dst 192.168.4.11 255.255.255.255
next
end |
| Troubleshooting | diag deb enable – enable output on remote console diag deb app ike 2 – display IPsec IKE negotiates diag sniff packets – display packets coming in and out on interfaces diag ip route list - check the host routes in kernel |
Related Articles
