Skip to main content
IrbkOrrum
IrbkOrrum
Explorer III
December 4, 2024
Solved

Where do you NAT external IPs for traffic through a VPN tunnel when a sub VDOM hosts the IPSec VPN?

  • December 4, 2024
  • 2 replies
  • 3465 views

Background on environment.

Root vdom contains all the physical interfaces for traffic to the internet and vmware stack.  All traffic coming into or flowing out of the VDOMs has to route through Root.  Vdom-A and Vdom-B share IP schemes, so everything has to route through the Intervdom network 172.17.17.0/28.  Vdom-A has a VPN tunnel to another site.  The traffic to establish the VPN flows

Internet > Root Vdom > VIP in Root VDOM that translates the external traffic to 172.17.17.1 (the vdom-a side intervdom link between Root and Vdom-A) > Vdom-A picks up and establishes the VPN tunnel.

In my initial test, the VPN establishes and traffic flows so I know I've got that part set up correctly.  
However, Vdom-A will have a server with a "public IP" (let's call it 40.40.40.40 just for ease of conversation) that should be only accessible through the VPN.  I'm having some difficulty in establishing where the private IP (let's call it 10.10.10.40 for ease of conversation) is going to have the NAT to the IP Pool done.  The "outgoing interface" should be the VPN but IP Pools aren't (so far) established until you're in the Root VDOM.  I'm just not sure where I should tell the firewall that 10.10.10.40 through the VPN tunnel, should be 40.40.40.40.

I've tried putting the NAT at VDOM A, so that the 'outgoing interface' is the VPN tunnel, that didn't seem to work. 

I've tried putting the NAT at Root vdom, but then the 'outgoing interface' can only be "outside" and that didn't seem to work.  I'm at a loss as to where that outbound NAT should be done.  To be completely fair, I'm really new to using VDOMs and figuring all this stuff out one stumbling block at a time.

Best answer by dingjerry_FTNT

Hi @IrbkOrrum ,

 

As long as the IPSec VPN is terminated in VDOM-A, what @sjoshi said is incorrect.

 

Because the packets sent to the IPSec VPN tunnel are encrypted and it is the IPSec VPN tunnel traffic passing through the root VDOM, the root VDOM can't even read the real payload of the IPSec VPN packets, how can we apply NAT in the root VDOM for your IPSec VPN traffic?

 

Please read the KB article I provided before.

2 replies

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
December 4, 2024

Hi @IrbkOrrum ,

 

You may use VIP with IPSec VPN.

 

Please check this KB and ignore the overlap part:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-an-IPsec-tunnel-with-Overlapping/ta-p/242267

sjoshi
Staff
sjoshi
Staff
December 4, 2024

To NAT the private IP 10.10.10.40 to the public IP 40.40.40.40 for traffic through the VPN tunnel in VDOM-A, you should configure the NAT at the root VDOM level. Create a Virtual IP (NAT) in the root VDOM, specifying the external IP as 40.40.40.40 and the mapped IP as 10.10.10.40. Ensure the outgoing interface is set to "outside" in the NAT configuration. This setup will allow traffic destined for 40.40.40.40 to be translated to 10.10.10.40 before being sent through the VPN tunnel established by VDOM-A.

Thanks, Salon
IrbkOrrum
IrbkOrrumAuthor
Explorer III
December 4, 2024

Oh so it should be a VIP, not an IP Pool where the NAT is happening inside the firewall rule?

EDIT

in 7.4 there is no "outgoing interface" that is specified.

dingjerry_FTNT
Staff
dingjerry_FTNTAnswer
Staff
December 4, 2024

Hi @IrbkOrrum ,

 

As long as the IPSec VPN is terminated in VDOM-A, what @sjoshi said is incorrect.

 

Because the packets sent to the IPSec VPN tunnel are encrypted and it is the IPSec VPN tunnel traffic passing through the root VDOM, the root VDOM can't even read the real payload of the IPSec VPN packets, how can we apply NAT in the root VDOM for your IPSec VPN traffic?

 

Please read the KB article I provided before.

Terms & ConditionsAccessibility statement