Skip to main content
daj1985
daj1985
New Member
August 29, 2018
Solved

IP SEC configuration behind a NAT device

  • August 29, 2018
  • 2 replies
  • 3769 views

Hi,

  Our scenario is :- 

Already has a IPsec connection between two offices , HQ and Site Office. The Site Office is behind a NAT device.

 

  HQ Fortigate ---------IP Sec-----NAT device-----Site Office Fortigate1

We need one more IPSec connection between the same offices. 

 ie. HQ Fortigate---IPSec----NAT device---Site Office Fortigate2.

 

 ie we use same NAT device for both Fortigate1 and Fortigate2.

 

So is it possible to use same LAN IP which is used in SiteOffice Fortigate1 , for Site Office Fortigate2 also. 

 

ie same LAN IPs in both. Is it possible.

 

Thanks

 

    Best answer by emnoc

    I think you need to  look at peer-id per tunnel. Same I don't  quite understand the  question but you  can have 2 sites and all behind a  NAT-device just keep in mind this endpoint will need NAT-T and by using peerid you can define each tunnel to be unique to that peerid

     

    Ken

     

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    August 29, 2018

    Your problem is not the LAN address but the WAN address. It's the same for both tunnels, and there cannot be two IPsec tunnel between the same public addresses. So, IMHO, this will not work.

    Prab
    Prab
    New Member
    September 5, 2018

    daj1985 wrote:

    Hi,

      Our scenario is :- 

    Already has a IPsec connection between two offices , HQ and Site Office. The Site Office is behind a NAT device.

     

      HQ Fortigate ---------IP Sec-----NAT device-----Site Office Fortigate1

    We need one more IPSec connection between the same offices. 

     ie. HQ Fortigate---IPSec----NAT device---Site Office Fortigate2.

     

     ie we use same NAT device for both Fortigate1 and Fortigate2.

     

    So is it possible to use same LAN IP which is used in SiteOffice Fortigate1 , for Site Office Fortigate2 also. 

     

    ie same LAN IPs in both. Is it possible.

     

    Thanks

     

    Hi Daj,

     

    Please don't feel offended but unfortunately I could not understand that why are you trying to have a second IPsec tunnel between the same remote subnet?

     

    Thanks,

    Prab

    emnoc
    emnocAnswer
    New Member
    September 5, 2018

    I think you need to  look at peer-id per tunnel. Same I don't  quite understand the  question but you  can have 2 sites and all behind a  NAT-device just keep in mind this endpoint will need NAT-T and by using peerid you can define each tunnel to be unique to that peerid

     

    Ken

     

    Terms & ConditionsAccessibility statement