IPSEC VPN established - routing with 2 subnets not working

Radiant-Jackfruit-14 · March 12, 2025, 9:22am

Hi.
I have a IPSEC VPN between 2 sites but because of overlapping networks, we decided SITE A would create a new VLAN with an unused subnet in SITE B.
The topology(simplified) is as follows:
SITE A
SUBNET A - 10.10.3.1/24 - main subnet
SUBNET B - 10.10.10.1/24 - subnet used only for vpn
SITE B
Subnet C - 10.1.1.2/32
IPSEC VPN site A
local address - 10.10.10.1/24
remote address - 10.1.1.2/32
IPSEC VPN site B
localaddress - 10.1.1.2/32
remote address 10.10.10.1/24

IPSEC VPN is established and all good but I want to be able to connect from SITE A, subnet A 10.10.3.1, to SITE B, subnet C 10.1.1.2.
From cli, if I set as source address 10.10.10.1, I am able to ping 10.1.1.2 or telnet on available ports but I’m scratching my head as to what firewall rules or policy routes I need in order to be able to allow subnet A to connect to subnet C.
IPSEC wizard automatically added the route to SUBNET C and the blackhole+2 firewall rules.
I have firewall rules in place which allow traffic from:
SUBNET A to B(working)
SUBNET B to A(working)
SUBNET B to C(working)
VPN TUNNEL to SUBNET B(working, added by ipsec wizard)
SUBNET B to VPN TUNNEL(working, added by ipsec wizar)
In policy route, I’ve added SUBNET A to SUBNET C, with outgoing interface VPN TUNNEL and gateway 0.0.0.0 but no luck.
Any ideas?

Golle · March 12, 2025, 9:22am

Don’t use policy-based VPN tunnels. Set local/remote addresses to 0.0.0.0 and just use static routes and firewall policies to decide who gets to reach who.

Viapori · March 12, 2025, 9:22am

The tunnel wont let Subnet A go through it as it’s not part of the ipsec P2 subnets. But that is fine as it shouldn’t go the tunnel anyway.
You need to SourceNAT the traffic from Site A. Site B shouldn’t see SUBNET A as that would cause routing issues in Site B as they already have similar subnet there. In Site A you need to make a firewall rule where Subnet A as source, is allowed to access Subnet C, but you add NAT-pool for the rule and use an IP from Subnet B for the NAT. This way site B sees traffic originating from Subnet B and can handle it without issues. When traffic comes back to Site A, the firewall will then translate the addresses so it will go back to the real IP of the Subnet A.

DennisV_EXNL · March 12, 2025, 9:22am

This example doesn’t show any overlapping IPs.

SITE A
SUBNET A - 10.10.3.0/24   (/24 = 0-255)
SUBNET B - 10.10.10.0/24  (/24 = 0-255)

SITE B
SUBNET C - 10.1.1.2/32

Is SUBNET C overlapping with a network on SITE A ?

and/or

Is SUBNET A and/or SUBNET B overlapping with a network on SITE B ?

If NO : You do not need to do NATting

If YES : You need to use NAT or IP Pool in the policy to the remote side.

If NAT is used without IP Pool, an IP on the TUNNEL interface must exist.

Remove the policy route, breaks more than it will do good.

The routing table on each side should have a route to the subnet on the remote end.

SITE A needs to know send destination 10.1.1.2/32 via VPN TUNNEL
SITE C needs to know send destination 10.10.10.0/24 via VPN TUNNEL

The systems themself also need to know the routing.
So a system in 10.10.3.x needs to know how to reach 10.1.1.2 and visa versa.
Don’t assume a default route, CHECK !

You will need policies

on SITE A : from SUBNET-A to VPN TUNNEL and visa versa
on site B : from SUBNET-C to VPN TUNNEL and visa versa

Using NAT in any of these depends on the previously mentioned overlap and/or routing of the systems.

Radiant-Jackfruit-14 · March 12, 2025, 9:22am

Unfortunately, the VPN cannot be modified now, so modifying the remote/local addresses on both ends is impossible.

Radiant-Jackfruit-14 · March 12, 2025, 9:22am

Well, yes, SUBNET A overlaps with a subnet on SITE B.

I have a static route which allows traffic from SITE A to SITE B.

Routing table for VRF=0

S* 0.0.0.0/0 [1/0] via 1.1.1.1, wan1, [1/0]

S 10.1.1.2/32 [10/0] via ip_sec_tunnel 2.2.2.2, [1/0]
I can ping from SUBNET B to subnet C and vice versa.

I have firewall rules which allow traffic from SUBNET A to SUBNET B, SUBNET B to SUBNET A, SUBNET A to VPN TUNNEL, VPN TUNNEL to SUBNET A, SUBNET B to VPN TUNNEL, VPN TUNNEL to SUBNET B.

edit 56

set name "vpn_local_0"

set uuid b3298190-eb40-51ed-fa0d-7a52a3c54986

set srcintf "SUBNET B"

set dstintf "VPN TUNNEL"

set action accept

set srcaddr "all"

set dstaddr "SUBNET C"

set schedule "always"

set service "ALL"

set comments "VPN: ipsec (Created by VPN wizard)"

next

edit 57

set name "vpn_remote_0"

set uuid b3456cca-eb40-51ed-bf68-37267c58c894

set srcintf "VPN TUNNEL"

set dstintf "SUBNET B"

set action accept

set srcaddr "SUBNET C"

set dstaddr "all"

set schedule "always"

set service "ALL"

set comments "VPN: ipsec (Created by VPN wizard)"

next

edit 61

set name "local-sub-to-remote-sub"

set uuid 35ab30cc-eb60-51ed-e900-db00c844fb7e

set srcintf "SUBNET A"

set dstintf "VPN TUNNEL"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

set ippool enable

set poolname "SUBNET B IP"

next

edit 58

set name "subA-to-subB"

set uuid 358d3ac4-eb4a-51ed-ab6a-e4bfe07cc3ee

set srcintf "SUBNET A"

set dstintf "SUBNET B"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

next

edit 60

set name "remote-to-internal"

set uuid 65ae725e-eb4a-51ed-afd9-ec4bb9baf3ea

set srcintf "SUBNET B"

set dstintf "SUBNET A"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

next

edit 64

set name "vpn-sub-to-internal"

set uuid 3dcd1dbe-ed78-51ed-d8e8-856389c9adac

set srcintf "VPN TUNNEL"

set dstintf "SUBNET A"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

next

I’ve created an IP pool with IP 10.10.10.1 as external range and I then created a firewall rule using this ip pool.

edit 61

set name "local-sub-to-remote-sub"

set uuid 35ab30cc-eb60-51ed-e900-db00c844fb7e

set srcintf "SUBNET A"

set dstintf "VPN TUNNEL"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

set ippool enable

set poolname "SUBNET B IP"

next
What am I missing?

joedev007 · March 12, 2025, 9:22am

add a second phase 2 selector config for the second subnet. how we did it. we don’t use routed tunnels at the moment. so some of our fortinet to cisco, etc tunnels have 2 phase or more phase 2 selectors.

DennisV_EXNL · March 12, 2025, 9:22am

let me have a look and I will get back to you…=)

DennisV_EXNL · March 12, 2025, 9:22am

I can see two items.

IP in VPN tunnel interface. Not needed unless you are doing peering or NATting using that IP. This is not a really big issue unless this is overlapping another subnet.

The IP Pool you mentioned in FW policy 61 (A to VPN) is “SUBNET B IP”
However SUBNET B is already in use by the interface with SUBNET B.
This creates a conflict because now it’s got the same IP range on two interfaces.

Use an IP Pool on Site A that is not a current existing subnet and use that in the policy from A to VPN.

On side B add a route towards the IP Pool used on site A.

DennisV_EXNL · March 12, 2025, 9:22am

Note that if you are using the wizard you might also need to add the IP pool range to Phase2.

When using 0.0.0.0/0.0.0.0 in Phase2 this is not an issue.