Menu

Fortigate: NAT + ipsec tunnel mode

I had an interesting case regarding a Fortinet firewall, the scenario goes like this
We have a client with a Fortigate Firewall who needs to establish a VPN tunnel to another network,
A simple task, but the second site has another client with the same subnet as ours so we have to use NAT.
Problem was – the peer is not a Foti which means interface mode will not work smoothly, so this makes the NAT configuration different than usual..

The final config looks like this
phase1 "peer-ph1" :
        set interface "WAN"
        set nattraversal enable
        set dhgrp 2
        set proposal aes256-sha1
        set keylife 86400
        set remote-gw Peer
        set psksecret ENC *********
    next
end
phase2 "peer-ph2":
        set keepalive enable
        set phase1name "peer-ph1"
        set proposal aes256-sha1
        set replay enable
        set use-natip disable
        set dst-subnet 192.168.1.0 255.255.255.0 /* Other side's subnet
        set keylifeseconds 3600
    next
end
 firewall policy:
        set srcintf "LAN"
        set dstintf "WAN"
            set srcaddr "LAN-Pool"  /* subnet is192.168.1.0/24
            set dstaddr "Peer-LAN"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set natip 10.1.81.0 255.255.255.0 . 
        set inbound enable
        set outbound enable
        set natinbound enable
        set natoutbound enable
        set vpntunnel "peer-ph1"
    next
end

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

14 comments:

  1. I am working with a Fortigate in a similar set of circumstances. The VPN is connecting to a network that requires a specific NAT address.

    I've tried setting this up, but I'm not getting a connection. Any troubleshooting tips?

    ReplyDelete
    Replies
    1. Sure thing.
      Lets start with the basics, does Phase 1 come up ?
      Do you get any log messages ? Did it used to work or is it a new tunnel ?

      Give me some info and i'll be happy to help.

      Delete
  2. We have created an IP sec VPN to our client location. Through VPN the end users should be able to access an application which is running on the Client location, We should NAT our Internal DHCP Pool IPs to a particular IP address (172.30.120.10)which is in the client side.

    IP Pool is 192.168.2.10 - 192.168.2.199

    can you let me know how to configure it ? thanks

    ReplyDelete
    Replies
    1. Did you try the configuration from this post ?
      It should work, that was my goal when I did this ..

      Delete
  3. hai
    i'm using fortigate 200b. when i create phase 1 & 2 it automatically goes to interface mode. how it change

    ReplyDelete
    Replies
    1. Sorry for the delay with my reply,

      Just use "config vpn ipsec phase1" and
      "config vpn ipsec phase2"

      Interface mode done by :
      "config vpn ipsec phase1-interface"

      Delete
  4. on phase2 you have
    set dst-subnet 192.168.1.0 255.255.255.0
    but don`t have src-subnet - is it correct ?

    ReplyDelete
    Replies
    1. Yeah, it will be better, will limit the addresses allowed to the tunnel, just don't forget to use a group containing all needed IP's.

      But this is was taken after finishing tests on a production device, so it will also work this way.

      Anyway your's is the better one.

      Delete
  5. I am getting error in debugs that IKv1 mismatch, But I have checked, its OK. I am using v4.0

    ReplyDelete
    Replies
    1. Can you please post or send me the debug output ?

      Delete
  6. Hi there, thanks for the configs, came up 1st in Google search :)
    Yuri

    ReplyDelete
    Replies
    1. Hi Yuri,
      Hope it was helpful and Thank you for the reply :)

      Delete
  7. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete