Site A needs IPsec with site B.
Site A networks 192.168.20.0/24 and 192.168.50.0/24 need to reach Site B network 192.168.1.0/24. And the other way around as well.
The problem is that Site A has a network 192.168.1.0/24 on its LAN interface, and a route to it as well.
I can only modify Site A configuration. I have to somehow apply NAT on site B 192.168.1.0/24, so that computers on site A use one-to-one NAT 192.168.250.0/24 to reach remote 192.168.1.0/24. 192.168.250.1 is used to access 192.168.1.1 and etc. Just before the traffic is sent, the destination NAT is performed from 192.168.250.1 to 192.168.1.1, etc… And when traffic is received, source NAT is used to translate 192.168.1.1 to 192.168.250.1, etc…
My first idea was to implement it as follows:
config firewall vip
edit "SiteB_NAT"
set extip 192.168.250.0-192.168.250.255
set mappedip "192.168.1.0-192.168.1.255"
set extintf "any"
next
end
config firewall ippool
edit "SNAT_SiteB"
set type one-to-one
set startip 192.168.250.0
set endip 192.168.250.255
next
end
end
config firewall policy
edit 53
set name "To_SiteB"
set srcintf "BNET_L2" "VLAN50"
set dstintf "IPSec_VGGN"
set action accept
set srcaddr "192.168.20.0/24" "192.168.50.0/24"
set dstaddr "SiteB_NAT"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
config firewall policy
edit 55
set name "From_VGGN"
set srcintf "IPSec_VGGN"
set dstintf "BNET_L2" "VLAN50"
set action accept
set srcaddr "192.168.1.0/24"
set dstaddr "192.168.20.0/24" "192.168.50.0/24"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "SNAT_SiteB"
set comments "From_VGGN"
next
end
But then there is a problem, Fortigate first applies policy, then routing. So it would still look for a route to 192.168.1.0/24, and it would forward it to LAN interface, right?
How to overcome this, maybe somehow it’s possible to make a route only for policy 53?
Or maybe there is a different, better solution for this problem (I cannot modify subnet on SiteB)?