4 Redundant IPSEC Tunnels to 2 remote 3rd party firewall locations
I need to create site to site tunnels to a cloud provider from a TZ670 Firmware 7.0.1-5145, they are using Fortinet firewalls on their side. I have two WAN interfaces and LAN and SSLVPN address ranges that need to connect over the tunnel. They have a primary site and a DR site. They have assigned different remote networks for my LAN and SSLVPN networks and each needs to translate to a specific network on their side. I need to do the NAT on the TZ670. The topology diagram they provided me shows that they want me to create 4 redundant tunnels (1 for each of my WANs to each remote location) with both my local networks running over each tunnel. Behind each of their remote gateways are two IP ranges that they tell me i should use as the remote destinations. First i cannot find a way to translate two local networks to separate remote networks on the same Site to Site Policy. Second when i try to create 2 tunnels to the same remote location specifying different local WAN interfaces and setting the NAT i cannot create the second tunnel because of subnet overlaps. I did open a ticket with SW and was told i can't do it this way, i need to specify their gateways as Primary and Secondary, and have one tunnel for my LAN and one for my SSLVPN. I am just wondering if anyone knows of a way to create the 4 tunnels my provide is requesting. Thank you.
This is what their engineer sent me:
For each of your circuits, there should be a tunnel constructed to each of our operating instance in New York (COLO 5) and Virginia (COLO 4). Both LAN and SSL VPN subnets should be translated into a respective 200.X.X.X subnet before being routed together to our PVC subnets (189.x.x.x / 191.x.x.x) for each respective tunnel. By the end, you should have 4 redundant tunnels erected. Please disregard the Peer IKE IDs, because there was not a value designated for either local or remote IKE IDs.
Regarding VAI’s PVC subnets (189.x.x.x / 191.x.x.x), relative to you, they would be your remote destination IP’s. These subnets should be included in the tunnel configuration