NAT in a IPSEC VPN Tunnel

Hi all,

I'm new to Fortinet (normally Cisco) so I'm struggling to get my head around NAT within a VPN tunnel.

I have a single server on my LAN that I would like to make accessible over a IPSEC VPN but I would like the servers real IP to be hidden to a single IP address that'd dedicated to that server. The server both initiates and responds so need the NAT static and bi-directional

So I've setup a VIP between the 1 internal IP and the public IP address that I am using in the tunnel. VPN tunnel has been made with the source for phase2 as single VIP address. I am only testing inbound at the moment, so the far end is trying to hit my VIP address. The VPN tunnel is up, however all traffic from the far end towards the VIP does not seem to NAT and make it my device. My policy for testing allows all traffic from that VPN to anywhere and more strange I don't see any hits for the traffic in the forwarded traffic log, but I do see it in the local traffic log, where it's denied by the local-in-policy.

As a test I removed the NAT and changed the phase2 to be the servers real address and it got straight in with no problems. This is not a solution I can retain as the intended VPN, in it's final location, will have overlapping IP address so I want to advertise out my server on a public IP address.

Am I doing something fundamentally wrong? Is a VIP bi-directional. or have I completely missed the point somewhere?

As a side, my internet side is a /24 and the Foritate's external IP was in that range as well as the VIP address I am using, thinkking this was maybe the problem I split the Fortiate applicance to be a /25 and then used the other /25 as the VIP range but that seemed to make no difference.