Technical Tip: Configuration example of source and destination NAT via the IPsec tunnel

jhussain_FTNT · ‎03-28-2021

Description
This article describes some example to configure source and destination NAT via the IPsec tunnel.

Solution

Scenario.

[Client] ( Src IP:10.90.146.63) –Dst IP: 10.149.76.128) <-----> [FGT] (Src NAT IP: 10.110.110.110 –Dst NAT IP: 10.110.57.128 ) <-----> IPSec tunnel <-----> [FGT] (Src IP: 10.110.110.110 –Dst IP: 10.110.57.128 ) <-----> DST(10.110.57.128

The requirement is the traffic from the source 10.90.146.63 need to reach the destination server 10.110.57.128 via the IPSEC tunnel which need to source NAT 10.110.110.110 and destination NAT 10.149.76.128 from Site A FortiGate.

Topology.

CLI configuration example.

# config vpn ipsec phase2-interface
    edit "TEST-PAM"
        set phase1name "TEST-AZURE"
        set proposal aes256-sha256
        set dhgrp 5
        set auto-negotiate enable
        set keylifeseconds 28800
        set src-subnet 10.110.110.0 255.255.255.0
        set dst-subnet 10.110.57.0 255.255.255.0
    next
end

# config firewall policy
edit 330
        set srcintf "vlan1124"
        set dstintf "TEST-AZURE"
        set srcaddr "10.90.146.63" "10.90.146.64"
        set dstaddr "10.149.76.0" "10.110.57.128"
        set action accept
        set schedule "always"
        set service "ALL "
        set ssl-ssh-profile "certificate-inspection"
          next

# config firewall central-snat-map
edit 41
        set srcintf "vlan1124"
        set dstintf "TEST-AZURE"
        set orig-addr "10.90.146.63" "10.90.146.64"
        set dst-addr "10.110.57.128"
        set nat-ippool "ippool-10.110.110.110"

# config firewall vip
   edit "vip_10.110.57.128"
        set extip 10.149.76.128
        set mappedip "10.110.57.128"
        set extintf "any"
   next

Verification with a debug log.

2021-01-19 11:48:14 id=20085 trace_id=35822 func=print_pkt_detail line=5639 msg="vd-shared:0 received a packet(proto=6, 10.90.146.63:53421->10.149.76.128:443) from vlan1124. flag [S], seq 3754709289, ack 0, win 8192"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=init_ip_session_common line=5810 msg="allocate a new session-97d1a7fa"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=fw_pre_route_handler line=182 msg="VIP-10.110.57.128:443, outdev-unknown"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=__ip_session_run_tuple line=3441 msg="DNAT 10.149.76.128:443->10.110.57.128:443"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=vf_ip_route_input_common line=2598 msg="find a route: flag=00000000 gw-10.110.57.128 via TEST-AZURE"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=fw_forward_handler line=796 msg="Allowed by Policy-330: SNAT"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=__ip_session_run_tuple line=3427 msg="SNAT 10.90.146.63->10.110.110.110:53421"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=ipd_post_route_handler line=439 msg="out TEST-AZURE vwl_zone_id 0, state2 0x1, quality 0.
"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-TEST-AZURE"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-TEST-AZURE"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=esp_output4 line=907 msg="IPsec encrypt/auth"
2021-01-19 11:48:14 id=20085 trace_id=35822 func=ipsec_output_finish line=622 msg="send to 94.56.170.65 via intf-vlan3507"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=print_pkt_detail line=5639 msg="vd-shared:0

received a packet(proto=6, 10.110.57.128:443->10.110.110.110:53421) from TEST-AZURE. flag [S.], seq 3279996221, ack 3754709290, win 8192"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=resolve_ip_tuple_fast line=5720 msg="Find an existing session, id-97d1a7fa, reply direction"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=__ip_session_run_tuple line=3441 msg="DNAT 10.110.110.110:53421->10.90.146.63:53421"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=vf_ip_route_input_common line=2598 msg="find a route: flag=04000000 gw-10.104.10.41 via vlan1124"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=npu_handle_session44 line=1142 msg="Trying to offloading session from TEST-AZURE to vlan1124, skb.npu_flag=00000400 ses.state=04010204 ses.npu_state=0x03000000"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=ip_session_install_npu_session line=343 msg="npu session installation succeeded"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=fw_forward_dirty_handler line=396 msg="state=04010204, state2=00000001, npu_state=03000800"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=__ip_session_run_tuple line=3427 msg="SNAT 10.110.57.128->10.149.76.128:443"
2021-01-19 11:48:14 id=20085 trace_id=35823 func=ipd_post_route_handler line=439 msg="out vlan1124 vwl_zone_id 0, state2
0x1, quality 0.