El conocimiento al alcance de todos.

 Thanks to: https://docs.fortinet.com/ Site-to-site VPN with overlapping subnets This is a sample configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located behind different FortiGates using a route-based tunnel with source and destination NAT. In the following topology, both FortiGates (HQ and Branch) use 192.168.1.0/24 as their internal network, but both networks need to be able to communicate to each other through the IPsec tunnel. New virtual subnets of equal size must be configured and used for all communication between the two overlapping subnets. The devices on both local networks do not need to change their IP addresses. However, the devices and users must use the new subnet range of the remote network to communicate across the tunnel. Configuring the HQ FortiGate To configure IPsec VPN: Go to   VPN > IPsec Wizard   and select the   Custom   template. Enter the name   VPN-to-Branch   and click   Next . For the   IP Address

 Thanks to: https://community.fortinet.com/ Description This article describes how to create a site-to- VPN between FortiGate and a remote end-site, where the remote end-site has a dynamic IP address and on FortiGate has a static IP address. Solution One of the local FortiGate the dynamic IP address is used (in this case, a remote firewall FQDN address) as a remote-gateway. To configure on Local-FGT refer the below CLI (only relevant parts provided). Phase I and Phase II configuration. 1) Configuration of phase 1, where we are using the type as DDNS. # config vpn ipsec phase1-interface edit "frtest"         set type ddns                                                             <-----         set interface "wan1"         set peertype any         set net-device disable         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set wizard-type static-fortigate         set remotegw-ddns "testbran.fortiddns.com"            >>&g

 Thanks to: https://docs.fortinet.com/ FortiGate-7000 IPsec VPNs require phase 2 selectors. The phase 2 selectors specify the IP addresses and netmasks of the source and destination subnets of the VPN. The phase 2 selectors are mandatory on the FortiGate-7000 and are used to make sure that all IPsec VPN traffic is sent to the primary (master) FPM. Use the following command to add phase 2 selectors. config vpn ipsec phase2-interface edit "to_fgt2" set phase1name <name> set src-subnet <IP> <netmask> set dst-subnet <IP> <netmask> end Where src-subnet  the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet. dst-subnet  the destination subnet behind the remote IPsec VPN endpoint. Example basic IPsec VPN phase 2 configuration In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can add the phase 2 selectors by adding the subnets to the phase 2 con

 Thanks to: https://docs.fortinet.com/ In this example, you will learn how to connect and configure a new FortiGate unit in Transparent mode to securely connect a private network to the Internet. Transparent mode is used if you want to apply security scanning to traffic without applying routing or network address translation (NAT), such as when a FortiGate is used as an Internal Segmentation Firewall (ISFW). 1. Changing the FortiGate's operation mode From the PC on the internal network, connect to the FortiGate's web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide). Login using an admin account (the default admin account has the username admin and no password). Go to the  Dashboard  and enter the following command into the CLI console widget, substituting your own IP addresses where necessary: config system settings set opmode transparent set manageip 192.168.