Hi Matas:
Sorry for the delay.
See the drawing I have have pasted below:
Site A is connecting to the Fortigate using IPSec policy and working fine. As you can see it is using a local network of 192.168.68.0/24. This is working and we want it to remain so.
We want to connect Site B to the fortigate using IPsec policy. The problem is Site B is already connected to the Cisco ISR4431 using GRE over IPsec with a local network of 192.168.68.72/29. As you can see the current addressing is inside site A’s addressing which will mess up things in the Fortigate.
We want to run NAT on Site B to change its addressing so that we can maintain its 192.168.68.72/29 network while connecting to the forgitgate. Say, we’d like to use 192.168.20.0/29 as the addressing the fortigate sees and uses for site B and we’d like to statically NAT that to the 192.168.68.72/29 that is already on site B. So, from the perspective of Site B we want the NAT to happen BEFORE IPSec so that the Fortigate sees only the 192.168.20.0/29 network.
Site B is ok with the internal addressing of the Fortigate which is 192.168.18.0/24 so site B’s IPSec policy is ok with setting 192.168.18.0/24 as the destination policy encryption.
I believe we can use IPtables to do this somehow.
Cheers,
John