Unable to configure behind-NAT Fortigate IPsec VPN with GCP

Forum|Forum|6 years ago
January 23, 2020
1 reply
11362 views

Hello,

We have a cloud services in Google Cloud (GCP) and we try to configure a vpn from our new offices and GCP. The difference between our old offices and new ones, that now we are behind the NAT where in the old offices we were facing the Internet directly. Our new offices is doing 1-to-1 NAT with our Fortigate. Our Fortigate is 90E v5.4.1. GCP supports 1-to-1 NAT with VPN peers but it restricts the peer to be able to identify itself with a public IP. https://cloud.google.com/vpn/docs/support/troubleshooting#gateways_behind_nat Our Fortigate because it is behind a NAT identifies itself with it's private IP which GCP rejects upon ikev2 authentication. I have tried to play with: local-gw, localid and nat-traversal but nothing helped when it comes to authentication with GCP Cloud VPN. Please Help.

NetFire

New Member

did you open open 500-4500 UDP ports on NAT router?

TimorAuthor

New Member

Yes, as the we are 1-to-1 NAT, meaning that we have a dedicated public IP for the office provider, and all traffic that is getting to this address is redirected to our Fortigate private IP address.

NetFire

New Member

Ok, same my scenario.

In our offices we had two type of routing:

- NATted Modem/router with virtualIP/Virtual Server: Fortigates are behind them, with WAN private IP

- Transparent LAN port on modem/router: Fortigates is connected to a physical LAN port on router and has public WAN IP.

If you can, you must set up a Transparent IP mode on one LAN port on modem/router where the public IP pass as-is.

In this case you must have one IP for the modem/router and one IP for the Fortigate, and each modem/router port must be set as interface instead of switch

Which modem/router do you have?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded