FortiGate subnet overlapping remapping

FortiGate in a site-to-site VPN configuration, the private IPv4 Subnet addresses at each scheduled end can often be the same. The problem can be solved by remapping the private IPv4 addresses using virtual IP addresses (VIP).

VIPs allow computers in its overlapping private subnets to be assigned a different range of IP addresses, and the subnets can be used transparently. The FortiGate appliance converts the VIP addresses to the original addresses. This means that if PC1 starts a session with PC2 at 10.31.101.10, FortiGate_2 the session to PC2, which actually has the IP address 10.11.101.10.

Figure shows – Finance Network VIP is 10.21.101.0/24 and the HR network has 10.31.101.0/24.

example overlapping subnets
Overlapping subnets Example

Configuration of a route-based VPN solution:

Create an IPsec Phase 1 and Phase 2, as you would normally do for a route-based VPN. This example refers to the resulting IPsec interface as IPsec_FGT1_2_FGT2.

Configuring Virtual IP (VIP) Mapping, under Policy & Objects > Virtual IPs > Create New

FortiGate New Virtual IP
New Virtual IP

Create IP Pool for Subnet Remmaping under Objects – IP Pools.

FortiGate new dynamic ip pool
New IP Pool

Configure an outbound policy on both FortiGate, under Policy & Objects > IPv4 Policy > Create New, Leave the Policy Type on Firewall and the Policy Subtype as the address:

FortiGate Policy outbound
Policy outbound

To configure the inbound policy:

FortiGate new policy
Policy inbound

To configure the Static Route:

new static route
Static Route

Repeat this process on both FortiGate, FGT1 and FGT2, taking into account the corresponding subnets, 10.21.101.0/24 and 10.31.101.0/24.

Enable Synology SSH root Login

Synology from DSM 6 offers the possibility like for Linux experts to use the SSH terminal, able to login as root. NAS are mostly behind firewalls and cannot be reached from Internet side via SSH, login as a user with subsequent “sudo su root” is considered as an additional effort. However, there is the option of logging in as root, as shown below.

First, the DSM Control Panel is called up, Extended mode must be activated so that the required icon Terminal & SNMP appears.

Enable Synology SSH root Login, Synolog DSM Control panel
Control panel

Under Terminal & SNMP the SSH-Service just can enable.

SSH-Service enable
SSH-Service enabled

Now establish an SSH connection to the Synology Diskstation using PuTTY or KiTTY and log in as admin, then change the root password.

sudo synouser -setpw root admin_passwort

Instead of admin_password, enter the same admin password that is used when logging in to Synology DSM.

Synology root Login

A message appears that you should respect privacy and be careful when typing. With great power comes great responsibility.

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:

  The password must be confirmed a second time for security.

Configure Synology SSH service to enable root login.

sudo vi /etc/ssh/sshd_config
Synology SSH sshd_config

Modify by press the i key the option #PermitRootLogin prohibit-password marked as a comment line by removing the # beforehand and set to yes.

PermitRootLogin yes

Save in vim with press the ESC key and hit ZZ (uppercase).

Now restart the DiskStation, or deactivate and reactivate the SSH service in the Control Panel, the change will take effect, now root@diskstation can log in directly to the Synology NAS.

  If you want to log in as root with WinSCP, the transmission protocol SCP (not SFTP) must be selected.

WinSCP Session Settings