I need to connect to 15+ locations to run network scans weekly. All the locations have Fortigate firewalls over which I have full control. The current solution I have is to connect via IPSec VPN to each location one by one to run my scans. I have considered scripting the connection and scanning process but it seems like network connectivity to all locations simultaneously is a superior solution.
All locations have the same internal subnet (which I can't control) and many locations have dynamic IP addresses. Because of this I was thinking I would need some type of NAT for VPN to give each subnet a unique address on my end allowing me to reach them all. But I am not sure how this would work.
I am wondering what the best solutions is, either hardware or through a VPN client, that would allow me to more easily gain access to these networks (preferably simultaneously). I've looked into StrongSwan as a VPN server and a Fortigate firewall on my side for form the mesh but don't have a solution yet.
Best Answer
I think you need a hub-n-spoke VPN where one location acts as the main termination point for all of the other locations, and then routes between them for connectivity for them.
Fortinet devices definitely support this. And I don't think they will have a problem with the same LAN topology on each local network; you're correct in that you will likely have to do some NAT to achieve that, but that will actually help you keep the traffic 'straight' in your head anyway.
Here's the link for the hub-and-spoke VPN solution:
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/hub-and-spoke.096.02.html