Skip to main content
daveteoh88
daveteoh88
New Member
July 17, 2020
Question

IPSEC Site2Site between Transparent mode and NAT Mode

  • July 17, 2020
  • 2 replies
  • 3370 views

Dear All, i need some help here . I'm trying to create a Ipsec VPN between data centre and branch office network ( transparent VS NAT mode). once i created the VPN tunnel, the connection is showing UP but somehow I'm no longer able to access the data centre fortigate GUI. I'm not able to do remote desktop to some servers in data centre as well.  ( i'm able to access  after i bring down the VPN). Did i missed out some settings or i did any wrong settings. Network info: Data Centre ( Transparent mode)-Fortigate 100D V5.6.6 subnet: 203.210.127.128/25 Management IP: 203.210.127.241 Branch Office ( NAT mode) - Fortigate 100D V5.6.6 WAN: 42.61.20.102 Local subnet: 192.168.0.0/24 configuration: Data centre - create a IPSEC VPN tunner     remote gateway: 42.61.20.102     authentication: Preshared key     phase 2- local addr: 203.210.127.128/25     phase 2 - remote addr: 192.168.0.0/24 - create security policy     Int - WAN         incoming int : Internal         outgoing int : Wan1         source : 203.210.127.128/25         Destination: 192.168.0.0/24           Action: IPSEC ( selected VPN Tunnel created)     WAN - Int         incoming int : WAN1         outgoing int : Internal         source : 192.168.0.0/24         Destination:203.210.127.128/25            Action: IPSEC ( selected VPN Tunnel created) Branch Office - create a custom IPSEC VPN tunnel     remote gateway: 203.210.127.241     authentication: Preshared key     phase 2- local addr: 192.168.0.0/24     phase 2 - remote addr: 203.210.127.128/25 - create security Policy     Int - WAN         incoming int : Internal         outgoing int : WAN         source : 192.168.0.0/24         Destination:203.210.127.128/25         Action: Accept           NAT: disabled     WAN - Int         incoming int : WAN         outgoing int : Internal         source : 203.210.127.128/25         Destination: 192.168.0.0/24           Action: Accept         NAT: Disable - create a static route     Interface: (vpn tunnel)     destination: 203.210.127.128/25

 

Any comment or help is much appreciated.

 

Dave

    2 replies

    daveteoh88
    daveteoh88Author
    New Member
    July 20, 2020

    nobody can help?

    sw2090
    SuperUser
    sw2090
    SuperUser
    July 21, 2020

    Looks to me as if you have set up an S2S IPSec tunnel between two FGT without split tunneling and with phase2 selectors configured.

    P2 selectors look good so far. The route will lead traffic to the ip of datacentre over the ipsec.

    Are you sure your client is in the correct subnet?

    If set p2 selectors like you did this limits the tunnel to allow only traffic from branach to HQ that comes from 192.168.0.0/24 and goes to Datacentre and Traffic that goes from Datacentre to 192.168.0.0/24.

    If a client is in a diffrent subnet on branch side that will be blocked on the tunnel due to p2 selector.

     

    That's why I ususally don't set p2 selectors but limit the traffic by policies and routing.

     

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    July 21, 2020

    hm annother clue could be your subnetting.

     

    You use /25 for Datacentre IP in your static route on branch (and in p2 selector). 

    That would mean this is a subnet of 126 hosts and the given ip is the network address and not a host!

    So that could be annother reason why it doesn't work.

     

    Terms & ConditionsAccessibility statement