VPN Traffic Only Works One Direction
For some quick background, I'm trying to establish IPsec VPN tunnels with a fleet of transit buses to allow access to some on-prem servers at our headquarters. Each bus has a non-FortiGate cellular router using the same 192.168.x.0/24 internal subnet. Equivalent devices on each bus use the same IP address from that subnet (Device A on every bus is 192.168.x.100).
To overcome the issue with 150 or so tunnels all using the same 192.168.x.0/24 remote subnet, someone at FortiNet suggested I use VRFs to isolate each of the tunnels, and that seems like a workable solution. Traffic comes into the VRF from the IPsec tunnel and as it passes through the VRF it is SNATed to a unique 10.x network. It can then flow from the VRF across a VDOM link into our HQ internal network to the servers it needs to reach. Yes, doing it with VDOMs would potentially be better, but I can't afford the licensing nor the hardware it would take to do that.
I've got the IPsec tunnel up and stable and I've got the VRF and VDOM links configured. Traffic that initiates on the remote end works fine. I can initiate a ping from a device behind the remote router to one of the internal servers, and it makes it through the remote router->IPsec Tunnel->FortiGate to the server, and the reply packet makes the return trip as it should.
The problem I'm facing now is I can't initiate traffic from the server on the internal network and have it make it to the device behind the remote router. A trace on the FortiGate shows the traffic coming in on the LAN interface as it should and then being routed into the IPsec tunnel's VRF via the VDOM link, but that is where it stops. From there, I need to DNAT for the 192.168.x.0/24 network and then have it route down the IPsec tunnel, but I can't seem to get that to work.
I've tried setting up DNAT with a VIP on the firewall rule which allows traffic from the VRF 9 end of the VDOM Link to the IPsec tunnel, but that doesn't work. Running a trace, I see the packet come into the FortiGate, but it is never routed into the VRF. Instead, the FortiGate goes ahead and does the DNAT to the 192.168.x.0/24 address, but, since the packet is still in VRF 0 instead of VRF 9 at that point, the FortiGate doesn't know how to route it and sends it back out of the LAN interface (we do have a 192.168.x.0 network on our internal network as well). I need that DNAT to happen only after the packet has been routed across the VDOM link into VRF 9 so that the FortiGate knows how to route it properly.
We aren't currently using Central NAT, but I wonder if divorcing the NAT settings from the firewall policies would make this all work better.