VPN Tunnel, subnets conflict

Question

I'm trying to create IPsec VPN Tunnel between two sites.

Site 1
Fortigate 140D
Local subnet : 192.168.1.0/24

Site 2
Fortigate 100D
Local Subnet : 192.168.2.0/24

But when I try to create it, it gives me the error: Conflicts with existing local subnet(s)

I don't understand why... can anyone explain it to me? What I have to do?

This question cannot be answered without knowing all the subnets used in both site1 and site2. — Tero Kilkanen, Mar 17 '16 at 13:38
Site 1 have only 1 subnet on the fortinet 192.168.1.0/24 and Site2 have only 1 subnet also 192.168.2.0/24 @TeroKilkanen — Adeel ASIF, Mar 17 '16 at 13:39

score 3 · Answer 1 · answered Mar 15 '16 at 08:59

3

This warning is telling you that your configuration would result in an IP address space collision. The 192.168.1.0/24 subnet that you're trying to connect to remotely already exists locally.

You can't have the same IP address space in two different places on your WAN, so you need to either change the remote subnet to something that doesn't exist locally, or remove the 192.168.1.0/24 subnet from the local network.

answered Mar 15 '16 at 08:59

HopelessN00b

53,795
33
135
209

Can you give me some example of compatible subnet? I can easily change the site2 subnet... – Adeel ASIF Mar 15 '16 at 09:33
@AdeelASIF Not without knowing your network, no. Your local subnet needs to only exist at the local site, and your remote subnet needs to only exist at your remote site. – HopelessN00b Mar 15 '16 at 09:37
Can you explain why 192.168.1.0 and 192.168.2.0 are same subnet? I dont really understand – Adeel ASIF Mar 15 '16 at 09:50
1

@AdeelASIF They're not the same subnet. You just... you should hire or contract a network engineer to sort this out for you. – HopelessN00b Mar 15 '16 at 09:54

Diamond · Accepted Answer · 2016-03-18T14:47:32.500

3

By default Fortigate firewall's dedicated management interface has an IP address from 192.168.1.0/24 range. Please note, it is not the internal interface, it's another dedicated port for management, with default ip 192.168.1.99. You can connect to the firewall directly with this interface using an ip address 192.168.1.2 and subnet 255.255.255.0.

I guess, this default setting of the firewall is the reason of the conflict. You can investigate this yourself and find it out. Either you will need to change the management ip range or the remote network ip range for the vpn to work.

edited Mar 18 '16 at 14:47

answered Mar 18 '16 at 08:33

Diamond

9,001
3
24
38

That sounds right to me. I just use plain OpenVPN on a server of my own creation, but the subnet thing can crop up just the same. OpenVPN requires a subnet of its own (in route mode) so clients can be assigned an IP on the VPN. This subnet (the management interface in your answer probably) can conflict with one of the subnets on the client side, making routing impossible. – MrMajestyk Mar 18 '16 at 09:13
Yessssss !!! That's it! Problem solved. – Adeel ASIF Mar 18 '16 at 12:39

score 0 · Answer 3 · answered Mar 17 '16 at 21:50

Even though the subnets 192.168.1.0/24 and 192.168.2.0/24 are different, the device at 192.168.2.254 thinks that 192.168.1.0/24 conflicts with the local subnet.

Perhaps the device at 192.168.2.254 is actually using a netmask of 255.255.252.0 which would be a /22 and have an IP range of 192.168.0.0 - 192.168.3.255

In either case, it appears that you are trying to have a site-to-site IPsec VPN with overlapping subnets. Fortinet has a document describing how to accomplish Site-to-site IPsec VPN with overlapping subnets.

VPN Tunnel, subnets conflict

3 Answers3