Description
Solution
This article provides an example of configuring a FortiGate unit for uni-directional traffic with NAT IP via IPSec VPN.
This solution will be useful for users with multiple devices/machines behind a FortiGate unit "A" and would like the devices/machines behind FortiGate unit "B" to only see a single IP address.
This solution will be useful for users with multiple devices/machines behind a FortiGate unit "A" and would like the devices/machines behind FortiGate unit "B" to only see a single IP address.
Solution
Assumptions:
1. Traffic directions will only be from Client -> Server and NOT vice versa
2. All the traffic originating from the Client will be NATed to a single IP ~ 192.168.227.253/32
3. IPSec VPN set up in Tunnel Mode (Policy-based VPN)
Configurations On "Client-110C":
Firewall Address:
config firewall address
edit "LAN"
set subnet 10.126.0.0 255.255.255.0
next
edit "Remote"
set subnet 10.142.0.0 255.255.255.0
next
end
Firewall Policy:
config firewall policy
edit 1
set srcintf <Internal Interface>
set dstintf <External Interface>
set srcaddr "LAN"
set dstaddr "Remote"
set action ipsec
set schedule "always"
set service "ANY"
set logtraffic enable
set natip 192.168.227.253 255.255.255.255 <--- This is the IP that all the outgoing traffic will be NATed to
set inbound enable
set outbound enable
set natoutbound enable <--- This is to NAT all the outgoing traffic to 192.168.227.253/32
set vpntunnel "to-110C"
next
IPSec VPN Configuration:
Phase 1:
config vpn ipsec phase1
edit "to-Server-110C"
set interface <External Interface>
set proposal 3des-sha1 aes128-sha1
set remote-gw 192.168.146.21
set psksecret fortinet
next
end
Phase 2:
config vpn ipsec phase2
edit "to-Server-110C-p2"
set pfs disable
set phase1name "to-Server-110C"
set proposal 3des-sha1 aes128-sha1
set src-addr-type ip
set use-natip disable <--- this is to ensure that when the traffic goes into the tunnel, it will not be NATed to the IP of the External interface, by default, this is Enabled
set dst-subnet 10.142.0.0 255.255.255.0
set keylifeseconds 3600
set src-start-ip 192.168.227.253 <--- this is important to ensure that the outbound traffic into the VPN tunnel is allowed. Otherwise, traffic will be dropped with an "IPSec Selector mismatch" error
next
end
Configurations on "Server-110C"
Firewall Address:
config firewall address
edit "LAN"
set subnet 10.142.0.0 255.255.254.0
next
edit "NATed-IP"
set subnet 192.168.227.253 255.255.255.255
next
end
Firewall Policy:
config firewall policy
edit 1
set srcintf <Internal Interface>
set dstintf <External Interface>
set srcaddr "LAN"
set dstaddr "NATed-IP"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "to-1KC"
next
end
IPSec VPN Configuration:
Phase1:
config vpn ipsec phase1
edit "to-Client-110C"
set interface <External Interface>
set proposal 3des-sha1 aes128-sha1
set remote-gw 192.168.146.15
set psksecret fortinet
next
end
Phase2:
config vpn ipsec phase2
edit "to-Client-110C-p2"
set dst-addr-type ip
set pfs disable
set phase1name "to-Client-110C"
set proposal 3des-sha1 aes128-sha1
set dst-start-ip 192.168.227.253 <--- this is important to ensure that the outbound traffic into the VPN tunnel is allowed. Otherwise, traffic will be dropped with an "IPSec Selector mismatch" error
set keylifeseconds 3600
set src-subnet 10.142.0.0 255.255.255.0
next
end
