Description
This article describes how to configure SSL VPN with overlapping subnets.
There will be connectivity issues when the remote network subnet (192.168.0.0/24) (for example, the home Wifi network) clashes with the local network subnet connected to FortiGate (192.168.0.0/24) which needs to be accessed by an SSL VPN user.
Scope
FortiGate.
Solution
To resolve the subnet overlapping issue, follow the steps below:
- Create a virtual IP object to map Virtual_Subnet to the Internal LAN subnet. Go to Policy & Object -> Virtual IPs, and select Create New -> Virtual IP.
Name: SSLVPN_VIP
Interface: ssl.root
Type: Static NAT
External IP Address/Range: 172.16.0.1 - 172.16.0.254
Mapped IP Address/Range: 192.168.0.1 - 192.168.0.254
- The separated user group, SSL VPN portal, and SSL VPN policy are created to avoid the change impacting all the other SSL VPN users. Move the SSL VPN user to the new user group which has the private network overlapped with the local private network.
- Create the SSL VPN portal for the users with overlapping:
- Add Authentication/Portal Mapping:
- Create a firewall policy for SSL VPN users to access the virtual subnet (Policy & Objects -> IPv4 Policy and select 'Create New').
Name: SSLVPN-to-Internal
Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: SSLVPN_VIP
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable
Select 'OK' to save and move this policy to the top.
- Test by connecting an endpoint to SSL VPN and make a test attempt to reach a host in the internal network (for example, 192.168.0.2) by performing a ping to 172.16.0.2.
For setup with Central SNAT enabled: Follow step 1 for the VIP setup, but for the firewall policy configuration, configure the following:
Name: SSLVPN-to-Internal
Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: Server_Real_Subnet (i.e. 192.168.0.0/24)
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable
Follow step 3 for the testing process.
