| The following configuration has been done: configure the Site-to-Site IPsec tunnel
On FortiGate-A:
Here the local subnet is 192.168.30.0/24 and will be NATed to 172.16.20.0/24, so the Phase2 selector's local address will be 172.16.20.0/24 and the remote address will be 10.1.1.0/24
LDAPS # get vpn ipsec tunnel name DNSCLIENT gateway
name: 'DNSCLIENT'
local-gateway: 10.9.11.214:0 (static)
remote-gateway: 10.9.15.169:0 (static)
status: up
mode: ike-v1
interface: 'port2' (4) vrf:0
rx packets: 56 bytes: 4608 errors: 0
tx packets: 56 bytes: 4608 errors: 0
dpd: on-demand/negotiated status:ok idle: 20000ms retry: 3 count: 0
selectors
name: 'DNSCLIENT'
auto-negotiate: disable
mode: tunnel
src: 0:172.16.20.0/255.255.255.0:0
dst: 0:10.1.1.0/255.255.255.0:0
The following is the IP-Pool:
LDAPS (IPSec-SNAT) # show
config firewall ippool
edit "IPSec-SNAT"
set startip 172.16.20.1
set endip 172.16.20.254
next
end
The following is the Virtual-IP:
LDAPS (IPSec-VIP) # show
config firewall VIP
edit "IPSec-VIP"
set uuid 100f59c6-be16-51ef-27e3-df074cebf6ad
set extip 172.16.20.1-172.16.20.254
set mappedip "192.168.30.1-192.168.30.254"
set extintf "any"
next
end
The following is the firewall's outgoing and incoming policy:
LDAPS # config firewall policy
LDAPS (policy) # edit 22
LDAPS (22) # show
config firewall policy
edit 22
set name "vpn_DNSCLIENT_local_0"
set uuid 4ff37a56-b1a8-51ef-df5e-0c10099a914b
set srcintf "port4"
set dstintf "DNSCLIENT"
set action accept
set srcaddr "DNSCLIENT_local_subnet_1"
set dstaddr "DNSCLIENT_remote"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set port-preserve disable
set ippool enable
set poolname "IPSec-SNAT"
set comments "VPN: DNSCLIENT (Created by VPN wizard)"
next
end
LDAPS (22) # next
LDAPS (policy) # edit 23
LDAPS (23) # show
config firewall policy
edit 23
set name "vpn_DNSCLIENT_remote_0"
set uuid 4ffa09ac-b1a8-51ef-7569-b06e517ca043
set srcintf "DNSCLIENT"
set dstintf "port4"
set action accept
set srcaddr "DNSCLIENT_remote"
set dstaddr "IPSec-VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: DNSCLIENT (Created by VPN wizard)"
next
end
The following is the session list showing SNAT and DNAT being applied:
LDAPS # diagnose sys session filter dst 10.1.1.3
LDAPS # diagnose sys session list
session info: proto=1 proto_state=00 duration=1 expire=59 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=10.9.15.169/0.0.0.0 vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 62/0 rx speed(Bps/kbps): 62/0
orgin->sink: org pre->post, reply pre->post dev=6->54/54->6 gwy=10.9.15.169/0.0.0.0
hook=post dir=org act=snat 192.168.30.2:1->10.1.1.3:8(172.16.20.239:24731)
hook=pre dir=reply act=dnat 10.1.1.3:24731->172.16.20.239:0(192.168.30.2:1)
src_mac=00:4f:72:6e:33:02
misc=0 policy_id=22 pol_uuid_idx=15828 auth_info=0 chk_client_info=0 vd=0
serial=6e55fc7d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session: 1
Related Document:
site-to-site-vpn-with-overlapping-subnets - FortiGate administration guide | 
