Skip to main content
CK173
CK173
New Member
March 1, 2017
Question

VPN Passthrough over Fortigate 100D

  • March 1, 2017
  • 2 replies
  • 16504 views

Hi all,

 

I have a query here. Currently just migrated over to Fortigate 100D.

In our environment, there is a Zywall VPN firewall sitting behind the Fortigate firewall which has a VPN with one of our vendor for them to access for troubleshooting of some system.

The ZyWall VPN wan interface is using one of the local LAN IP address (172.16.x.x) and the LAN interface is another private 10.x.x.x segment for the system's. My problem here is that the IPsec tunnel between the Zywell and the vendor is not able to be established.

I suppose the Fortigate needs to allow VPN passthrough but am not sure how this can be done.

 

My current configuration done:

 

1) Create a one to one nat using one available external IP in the IP Pools.

2) In the Virtual IPs, mapped the external IP to the Zywall interal WAN IP.

3) Created one policy from LAN to WAN1 with source (the internal IP of the Zywall WAN IP), destination to all, 

    enable NAT with IP Pool Configuration using external IP created in the IP Pool. Services allowing all.

 

Is there any other area i need to be looking into? Really appreciate if anyone can offer me some advise.

 

Thanks in advance.

CKL

 

 

 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 1, 2017

    For 2) you've applied to another polity so that you have a pair of policies with the one for 3), right?

    First thing I would recommend is sniff the vpn traffic between the source and destination at the 100D's LAN port, while the vendor sniff the same on their end to see if vpn packets are reaching on the other end with a proper source IP.

    CK173
    CK173Author
    New Member
    March 2, 2017

    Hi,

     

    Thanks for the quick reply. 

    Yes, I have another policy for incoming traffic

    Incoming interface - Wan1

    Outgoing interface - LAN (Internal)

    source - All

    Destination - The nated external IP mapped to the internal 172.16.x.x IP 

    Service - Allow all

     

    I can see that there are some traffic coming in the incoming policy. But can't seem to see any related to vpn.

    While the Outgoing policy LAN to WAN (Placed at the top of the sequence of rules) has no traffic at all. Seems like traffic no able to reply or go out from internal LAN to WAN

    Will need to arrange the vendor to help sniff the traffic on their end and hopefully get some clues.

     

    Thank you..

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 2, 2017

    VPN parameters?

    In Main mode, the external WAN IP is part of the authentication process. That won't work in your case. Use Aggressive Mode, with peer ID.

    Of course, you have to enable NAT-T (NAT traversal), on both sides.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 2, 2017

    Actually,

    the cleanest way to configure this is to move the VPN to your VPN gateway, which is the FGT now. Anything else is frickling IMHO.

    Terms & ConditionsAccessibility statement