VPN Tunnel, subnets conflict

ipsecnetworkingsubnetvpn

I'm trying to create IPsec VPN Tunnel between two sites.

Site 1
Fortigate 140D
Local subnet : 192.168.1.0/24

Site 2
Fortigate 100D
Local Subnet : 192.168.2.0/24

But when I try to create it, it gives me the error: Conflicts with existing local subnet(s)

I don't understand why… can anyone explain it to me? What I have to do?

Best Answer

By default Fortigate firewall's dedicated management interface has an IP address from 192.168.1.0/24 range. Please note, it is not the internal interface, it's another dedicated port for management, with default ip 192.168.1.99. You can connect to the firewall directly with this interface using an ip address 192.168.1.2 and subnet 255.255.255.0.

I guess, this default setting of the firewall is the reason of the conflict. You can investigate this yourself and find it out. Either you will need to change the management ip range or the remote network ip range for the vpn to work.

Related Solutions

Routing subnet over GRE tunnel

You are missing the word via in your route command

ip route add 10.245.1.224/28 via 10.244.248.125

FortiGate IPsec VPN: Configuring Multiple Phase 2 Connections (Multiple Subnets)

1 & 2) You are correct that you need two phase 2s, in some instances. For instance, when dealing with additional security (previous in the flow to firewall policies, for example), splitting two subnets across two phase 2s is required. Unless you don't have this complexity and can create quick mode selectors wide enough to encompass the two subnets within the same phase 2.

3) Multiple phase 1s? Yes. It will drop like you describe. Multiple phase 2s with the same phase 1? It will not drop.

I do not know openswan, but the FortiOS supports at least the IPsec specs. Your best bet is to debug on both sides and see exactly what is going on.

Best Answer

Related Solutions

Routing subnet over GRE tunnel

FortiGate IPsec VPN: Configuring Multiple Phase 2 Connections (Multiple Subnets)

Related Topic