Technical Tip: Allow Port Forwarding for IKE (UDP 500/4500) When FortiGate is configured with IPsec Tunnel (Site-to-site)

ddeguzman · ‎06-16-2024

Description

This article explains how to configure Port Forwarding (Virtual IP) for IKE traffic on the FortiGate when having a site-to-site IPsec tunnel terminated on the FortiGate.

In this example, FGT_Primary is the FortiGate that has both IPsec site-to-site with FGT_Remote-S2S, and IKE Port Forwarding going to a Dial-up VPN server behind its LAN network (Port2).
The default behavior with this setup is that FortiGate will forward all the traffic that matches the traffic even if it is dedicated to the FortiGate itself. Hence, the IPsec VPN going to FGT_Remote-S2S will not go up.

Note:

For illustration purposes, a private IP is assigned to each interface.

Scope

FortiGate.

Solution

To fix this conflict, the 'src-filter' of the Virtual IP object will be used.

The objective is to exclude the IKE traffic from 10.47.1.193 from being forwarded to the dial-up server internally. It is necessary to fill up the source filter with all the IPs except for the 10.47.1.193.

CLI:

GUI:

In this way, site-to-site between FGT_Primary and FGT_Remote-S2S will be formed, and then inbound IKE from the dialup users (10.47.1.168) will still be forwarded to the internal Dial-up VPN server accordingly.

Note:

In the actual scenario, the IPs filtered would be public IP address ranges.

Technical Tip: Allow Port Forwarding for IKE (UDP 500/4500) When FortiGate is configured with IPsec Tunnel (Site-to-site)

You are leaving our website