Technical Tip: IPsec VPN with outbound NAT for overlapped subnets
| Description | This article describes how to configure a FortiGate gateway to gateway IPsec tunnel and use outbound NAT for the VPN tunnel to allow connections between overlapped subnet addresses on both sides of the tunnel.
After the tunnel is established, hosts on each side can communicate with hosts on the other side using mapped IP addresses. For example, PC1 can communicate with PC2 using IP address 30.30.30.200. Firewall 2 maps connections for IP address 30.30.30.200 to IP address 192.168.1.200. |
| Scope | FortiGate, FortiOS 7.2 and above |
| Solution |
VPN policy 1.
local:192.168.1.0/24-remote:30.30.30.0/24 local subnet NAT out as 20.20.20.0/24
VPN policy 2.
local:192.168.1.0/24-remote:20.20.20.0/24 local subnet NAT out as 30.30.30.0/24
Prerequisites: The configuration is based on the following assumptions:
Configurations: Firewall1 FortiGate-300 configuration.
config system interface edit "internal" set ip 192.168.1.1 255.255.255.0 next edit "external" set ip 64.114.95.229 255.255.255.128 next end
config vpn ipsec phase1 edit "FG400" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set keepalive 5 set psksecret 123456 set remotegw 64.114.95.228 next end
config vpn ipsec phase2 edit "mytunnel" set phase1name FG400 set proposal 3des-sha1 3des-md5 set replay enable set use-natip disable next end
config firewall address edit "vpn-remote" set subnet 30.30.30.0 255.255.255.0 next edit "vpn-local" set subnet 192.168.1.0 255.255.255.0 next end
config firewall policy edit 2 set srcintf "internal" set dstintf "external" set srcaddr "vpn-local" set dstaddr "vpn-remote" set action accept set schedule "always" set service "ALL" set natip 20.20.20.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel "mytunnel" next end
Firewall2 FortiGate-400 configuration.
config system interface edit "port1" set ip 192.168.1.1 255.255.255.0 next edit "port2" set ip 64.114.95.228 255.255.255.128 next end
config vpn ipsec phase1 edit "FG300" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set keepalive 5 set psksecret 123456 set remotegw 64.114.95.229 next end
config vpn ipsec phase2 edit "mytunnel" set phase1name FG300 set proposal 3des-sha1 3des-md5 set replay enable set use-natip disable next end
config firewall address edit "vpn-remote" set subnet 20.20.20.0 255.255.255.0 next edit "vpn-local" set subnet 192.168.1.0 255.255.255.0 next end
config firewall policy edit 2 set srcintf "port1" set dstintf "port2" set srcaddr "vpn-local" set dstaddr "vpn-remote" set action accept set schedule "always" set service "ALL" set natip 30.30.30.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel "mytunnel" next end
Related document: Site-to-site VPN with overlapping subnets
Verifying the results: Verifying on PC1.
PC1 can ping/telnet to PC2:
PC2 can ping/telnet to PC1:
Verifying Firewall1 FortiGate 300 status.
FG300U # diagnose vpn tunnel list tunnel[5]:mytunnel, gateway:64.114.95.228:500, hub=, option=38 eroute[2]:{[192.168.1.*]}->{[30.30.30.*]}
channel[2]:64.114.95.229,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=268492, timeout=238 itdb[1]:mtu=1434, cur_bytes=99904, cur_packets=1561, spi=909ea428, replay=64 3DES=f91008661b624754af54d579262b15fcd36474f010e2e0f1 iv=0000000000000000 SHA1_HMAC=0d5aedeae263178811ffb69e7dc48adf1d513a8c otdb[1]:mtu=1434, cur_bytes=99904, cur_packets=1561, spi=f364b87f, replay=64 3DES=d3168c419fe0c32255bd9accd1a1734053b5186f5d18ae32 iv=12a43de1f9aeb3c1 SHA1_HMAC=c1dee7b41d287cb89a6e1ab3e0cb68b48dcdaf9d
FG300U # diagnose sys session list session info: proto=1 proto_state=00 expire=30 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype=session ha_id=0 hakey=8236 tunnel=mytunnel/ state=oe may_dirty statistic(bytes/packets): org=202380/3373 reply=202320/3372 tuples=2 orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/192.168.1.100 hook=post dir=org act=snat192.168.1.100:768->30.30.30.200:8(20.20.20.100:768)
hook=pre dir=reply act=dnat 30.30.30.200:768->20.20.20.100:0(192.168.1.100:768)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000001b9 tos=ff/ff
Verifying the Firewall2 status:
FG400B # diagnose vpn tunnel list tunnel[5]:mytunnel, gateway:64.114.95.229:500, hub=, option=38 eroute[2]:{[192.168.1.*]}->{[20.20.20.*]}
channel[2]:64.114.95.228,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=296872, timeout=74 itdb[1]:mtu=1434, cur_bytes=110464, cur_packets=1726, spi=f364b87f, replay=64 3DES=d3168c419fe0c32255bd9accd1a1734053b5186f5d18ae32 iv=0000000000000000 SHA1_HMAC=c1dee7b41d287cb89a6e1ab3e0cb68b48dcdaf9d otdb[1]:mtu=1434, cur_bytes=110464, cur_packets=1726, spi=909ea428, replay=64 3DES=f91008661b624754af54d579262b15fcd36474f010e2e0f1 iv=94bcd063f7c52a1e SHA1_HMAC=0d5aedeae263178811ffb69e7dc48adf1d513a8c
FG400B # diagnose sys session list session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype= session ha_id=0 hakey=5676 tunnel=/mytunnel
state=re may_dirty statistic(bytes/packets): org=210960/3516 reply=210960/3516 tuples=2 orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=192.168.1.200/64.114.95.254
hook=pre dir=org act=dnat 20.20.20.100:768->30.30.30.200:8(192.168.1.200:8)
hook=post dir=reply act=snat 192.168.1.200:8->20.20.20.100:0(30.30.30.200:768)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000000d7 tos=ff/ff
Troubleshooting:
diagnose debug enable <----– Enable output on remote console. diagnose debug application ike -1 <----– Display IPsec IKE process debugs and negotiations. diagnose sniffer packets any "" 4 0 l <----- Display packets coming in and out on interfaces. ---- diagnose debug disable <----– Disable debugging output on remote console. |
