Skip to main content
JMenefee
JMenefee
New Member
January 13, 2021
Question

Site to site VPN with NAT - Step by Step guide

  • January 13, 2021
  • 1 reply
  • 12713 views

Hello,

 

I'll start by saying I am new to Fortigate products.  

 

I am trying to setup a new site to site VPN with NAT involved and I am new to the Fortigate firewall.  Below is the information about the Fortigate and VPN tunnel.  I looked for a step by step setup guide and have not found what I need to successfully setup a working tunnel with NAT.  I'm setting up the Fortigate side and the client is setting up the remote peer side.  Any help is appreciated.  If there is more information needed please advise.

 

Fortigate model = Fortigate VM64 (in cloud) v 6.2.3 build 1066

Fortigate WAN = 10.10.2.x

Fortigate LAN = 10.10.0.X

Local IP server = 10.10.0.28

 

Remote peer = 123.78.140.250

Remote subnets = 123.78.140.29 and 123.78.140.30

NAT IP = 10.255.12.240

 

IKE Auth Method = pre share key

IKE Encryp Algorithm = AES256

IKE Hash Algorithm = SHA 1

IKE Diff-Hellman Group = 2

Phase 1 lifetime = 86400

IPSEC Encryp Algorithm = AES256

IPSEC Integrity Algorithm = SHA 1

Perfect Forward Secrecy = Disabled

Mode = Tunnel

IP Payload Compression = Disabled

Dead Peer Detection = On

 

Thank you in advance.

John

    1 reply

    FortiGab
    FortiGab
    Explorer
    May 28, 2021

    did you enabled nat-t?

    emnoc
    emnoc
    New Member
    May 28, 2021

    We don't work for free but here's a basic cfg assume ikev1 , assuming your SNAT your lan behind 10.255.12.240

     

    # 1st the end side that terminates the 2x public address

     

    config vpn ipsec phase1-interface

        edit "spoke1-FGT"

            set type dynamic

            set interface "wan1"

            set ike-version 1

            set peertype one

            set proposal aes256-sha1

            set localid "hubvpn.example.com"

            set localid-type fqdn

            set dpd on-idle

            set dhgrp 2

            set peerid "spokeFGT.example.com"

            set psksecret  blahblahblbah.  < - stick your PSK here

        next

    end

     

    config vpn ipsec phase2-interface

        edit "spoke1-FGT-1"

            set phase1name "spoke1-FGT"

            set proposal aes256-sha1

            set pfs disable

            set src-subnet 123.78.140.29/32

            set dst-subnet 10.255.12.240/32

         next

     

       edit "spoke1-FGT-2"

            set phase1name "spoke1-FGT"

            set proposal aes256-sha1

            set pfs disable

            set src-subnet 123.78.140.30/32

            set dst-subnet 10.255.12.240/32

         next

    end

     

    config router static

       edit 0 

           set dst 10.255.12.240 255.255.255.255

            set device "spoke1-FGT"

       end

     

    # do not forget your policy tied to spoke1-FGT interface, I'm not wasting my time writing a policy example for you

     

    =====================other side FGT that has no public-address ======

     

     

    config vpn ipsec phase1-interface

        edit "hub1-FGT"

            set type static

            set interface "wan1"

            set ike-version 1

            set peertype one

            set proposal aes256-sha1

            set localid "spokeFGT.example.com"

            set localid-type fqdn

            set dhgrp 2

            set peerid "hubvpn.example.com"  

            set remote-gw 123.78.140.250

            set psksecret  blahblahblbah.  <- stick yoru PSK here

            set keepalive 12 <-----adjust KeepAlive as required

        next

    end

     

     

    config vpn ipsec phase2-interface

        edit "hub1-FGT-1"

            set phase1name "hub1-FGT"

            set proposal aes256-sha1

            set pfs disable

            set dst-subnet 123.78.140.29/32

            set src-subnet 10.255.12.240/32

         next

     

       edit "hub1-FGT-2"

            set phase1name "hub1-FGT"

            set proposal aes256-sha1

            set pfs disable

            set dst-subnet 123.78.140.30/32

            set src-subnet 10.255.12.240/32

         next

    end

     

    # now for policy you should create a ip nat pool for the to-be nat'd address of 10.255.12.240

     

     

    config firewall ippool

        edit "10.255.12.240"

            set startip 10.255.12.240

            set endip 10.255.12.240

        next

    end

     

    Now for ANY fwpolicy that you bind to that ipse-vinterface for ipsec,you use that ip nat pool, so the clients are SNAT behind that

     

     

    e.g 

     

    config firewall policy

        edit 0

            set srcintf "internal"

            set dstintf "hub1-FGT"

            set srcaddr "all"

            set dstaddr "all"

            set action accept

            set schedule "always"

            set service "ALL"

            set nat enable

            set ippool enable

            set poolname "10.255.12.240"

        next

    end

     

     

    config router static 

       edit 0 

           set dst 122.78.140.29 255.255.255.255

            set device "hub1-FGT"

       end

     

    config router staic 

       edit 0 

           set dst 123.78.140.30 255.255.255.255

            set device "hub1-FGT"

       end

     

    You can add or restrict the policy address , I'm not going to waste my time writing out an example but the above would get you up.

     

    I charge 145 p/HR if you need consulting or services

     

    Ken Felix

    emnoc
    emnoc
    New Member
    May 28, 2021

    NAt-T is enabled by default for ISAKMP KAs

     

    Ken Felix

    Terms & ConditionsAccessibility statement