IPSec VPN with overlapping networks


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L2 Linker

Something is not right.


The phase-2 config on the connecting party is like this:


config vpn ipsec phase2-interface

    edit "VPN"

        set phase1name "VPN"

        set proposal aes256-sha256

        set dhgrp 14

        set keylifeseconds 3600

        set src-subnet

        set dst-subnet




The tunnel is established but they are not able to ping servers on our side.

I do not see any traffic even in the "Session Browser".

L5 Sessionator

Assuming you log everything; untill you don't see a packet arriving from their side it means they are not sending it correctly.

You can also try sending traffic towards them.

L4 Transporter

Fist I would suggest you to disable the bi-directional for the source NAT and configure manually destination NAT. The main reason for that is - What does the Bi-directional NAT Feature Provide? My phisosofy is to enable bi-directional only for static NAT going to public. NATing for VPN could be little bit tricky. So I would suggest the following:


## Source NAT

IPSecVPN_xxx-1 {
  to [ IPSec_xxx ]; 
  from [ LAN_Servers ];  
  source [ ]; 
  destination [ ]; 
  source-translation {
    static-ip {
      bi-directional no; translated-address;

#### Destination NAT

IPSecVPN_xxx-2 {
 to [ Untrust ] 
 from [ IPSec_xxx] 
 source [ ] 
 destination [ ] 
 destination-translation {

 Note: that the to zone in your destination NAT should  be zone based on your routing table for If you don't have route for such network, traffic will be routed with default route to outside (or your what ever default is related). if you have route matching this network (for example you need to put the zone following this route)



	• NAT rule must be configured with pre-NAT zones (zones matching the addresses before the NAT)
	• Security rule must be configured with pre-NAT addresses, but post-NAT zones


Having the bidirectional enabled should work indeed, so if the traffic is failing I would suggest:
- Check the rule on the Fortigate at the other end
- Check the routing on the Fortigate at the other end
- Check if encrypted packets are increasing on the Fortigate

- Check for decrypted packets on your end
- As per revious comment - check if you can send traffic
- Check the log to confirm the NAT is applied
- Check for encrypted packets at your end and decrypted packets at Forti end

Tags (1)
L2 Linker

I am still stuck here. There is not much I can check on the other side. They say that the traffic is entering the tunnel.

I do not see any traffic on my side.

In vRouter I have a static route for directing it to the tunnel.

Should I have anything more there?

L7 Applicator

Go to Network > IPSec Tunnels

In Status column of the tunnel you have "Tunnel Info"

Click on it.

While they ping does Pkt Decap counter increase?


If yes then you are receiving packets.


Have you overrided last 2 intrazone-default and interzone-default rules to log?

If yes do you see any sessions in Monitor > Traffic ?



Enterprise Architect @ Cloud Carib www.cloudcarib.com
L2 Linker

Pkt Decap and Bytes Decap have values, the restof columns are zeros.

I have not overridden the default rules.


L7 Applicator

Is vpn tunnel interface in dedicated vpn zone? If yes do you have security policy to allow traffic from vpn zone to internal zone?

If you have not overridden default policies at the end then no log will appear to Monitor > Traffic if this traffic does not match to any existing security policy.


I suggest to enable packet capture filter and choose ingress interface tunnel interface that you have configured for that vpn.

packet filter.JPG



And then check global counters with command below. Run it few times. What is output? Any drops?

> show counter global filter delta yes packet-filter yes

Enterprise Architect @ Cloud Carib www.cloudcarib.com
L5 Sessionator

I would definitelly first check logs (and make sure you log everything).

If you can't find packet in logs then i would say PA isn't doing proxy ARP for static NAT rules.

L2 Linker

Below is the configuration that finally worked.


Static Route







Security rules


View solution in original post

L5 Sessionator

Did you try only static route and only adding inbound NAT rule seperately? I'm curious what really was the original cause of issues.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!