Skip to main content
Jaspervdb
Jaspervdb
Visitor III
July 24, 2024
Question

IPsec VPN behavior regarding IP addresses

  • July 24, 2024
  • 1 reply
  • 1719 views

Hi all, 

I'm relatively inexperienced with firewalls and would value any guidance you can provide.

Here's the scenario:
We're connected to another company via an IPSEC VPN. The VPN was set up correctly and is operational. However, due to a recent change, we need to revise the policy.
We have a label printer connected to a PC. This PC must be able to communicate with a remote server through the VPN. Currently, the PC can reach the remote server via the VPN. The problem is that the VPN's other side is receiving our public IP instead of the source PC's IP.

Here are the actions I've taken:
I've created two objects: one for the PC and another for the target server.
I've established a new policy rule that permits traffic from the PC object (set to 'Any' during the testing phase) to pass through the VPN tunnel, with NAT disabled for this rule.
I've also set up the reverse policy rule in case the target server needs to initiate contact with the PC.

However, when we test the application for the printer, the logs show that the target server responds to our public IP rather than the source PC's IP.
I suspect I'm overlooking something or there's some aspect of VPN behavior I'm not grasping. I would greatly appreciate any assistance or insights.

Thank you for any help



1 reply

fricci_FTNT
Staff
fricci_FTNT
Staff
July 24, 2024

Hi @Jaspervdb ,

 

If the server is receiving the public IP, it means you are NATing that traffic somehow. Check the routing, where the IPsec phase2 traffic is being sent to (interface and next hop). Check also the priority order on the firewall policies and which firewall policy is actually being hit by the phase2 traffic.

Please open two Putty SSH sessions and run a packet sniffer (verbosity 4) in one shell and a debug flow in the second Putty shell. Debug flow will show you the traffic path and FortiGate's decisions based on what you have configurate.
Below you can find some useful article that explains also debug flow and packet sniffer:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988


Best regards,

    Jaspervdb
    JaspervdbAuthor
    Visitor III
    July 24, 2024

    After some more looking around on the internet I have found that the setup for the tunnel was with NAT, I disabled that and now it seems to go through with the right IP. My problem is not solved yet, but I am getting closer. Thank you for those links I will test everything abundantly.

    Kind regards 
    Jasper 

      Terms & ConditionsAccessibility statement