Technical Tip: Configuring GRE/IPsec, Local FortiGate behind NAT

meslami · ‎12-24-2025

Description

This article describes GRE over IPsec configuration between two FortiGate firewalls where one FortiGate is behind a NAT device, and the remote is terminating IPsec on the Loopback interface.

Scope

This scenario depicts GRE over IPsec between two FortiGate devices, where one of the peers has private IP address configured on the internet facing interface and is behind a device performing NAT, and IPsec is terminated on the Loopback interface on the remote peer.

The topology is shown in the diagram below. FGT1 is the FortiGate device configured with a private address on the WAN facing port (port2) and is behind the NAT device. FGT2 has a routable IP address configured on the WAN facing and the Loopback1 interfaces.

Topology:

Notes:

The WAN facing port on the FortiGate FGT1 is configured with a private IP Address of 10.1.1.10. This IP address is translated to 4.1.1.10 on the NAT device.
On the remote FortiGate, Loopback1 is configured with the IP address of 64.1.1.1/32. This IP address will be used to terminate IPsec tunnel on this device.
Static routes are configured on both FortiGate firewalls to enable IP connectivity between the IPsec endpoints, and route traffic through the GRE tunnel

Solution

Relevant configuration on the FortiGate firewalls:

Local FortiGate (hostname FGT1):

config system interface

edit "port2"

set vdom "root"

set ip 10.1.1.10 255.255.255.0

set allowaccess ping ssh

set type physical

set role wan

set vdom "root"

set ip 172.16.10.1 255.255.255.255

set allowaccess ping https ssh snmp

set type tunnel

set interface “IPSEC”

set tcp-mss 1460

set vdom "root"

set ip 10.255.255.1 255.255.255.255

set type tunnel

set interface "port2"

config router static

edit 1

set gateway 10.1.1.1

set device "port2"

set dst 10.255.255.2 255.255.255.255

set device "IPSEC"

set dst 172.16.10.2 255.255.255.255

set device "GRE"

config system gre-tunnel

edit "GRE"

set interface "IPSEC"

set remote-gw 10.255.255.2

set local-gw 10.255.255.1

set keepalive-interval 10

set keepalive-failtimes 3

config vpn ipsec phase1-interface

edit "IPSEC"

set interface "port2"

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 3des-md5

set remote-gw 64.1.1.1

set psksecret ENC …

config vpn ipsec phase2-interface

edit "NOS-VPN"

set phase1name "IPSEC"

set proposal 3des-md5

set dhgrp 5 2

set protocol 47

set keylifeseconds 86200

Remote FortiGate (hostname FGT2):

config system interface

edit "port2"

set vdom "root"

set ip 4.1.1.2 255.255.255.0

set allowaccess ping

set type physical

set role wan

set vdom "root"

set ip 172.16.10.2 255.255.255.255

set allowaccess ping

set type tunnel

set interface "IPSEC"

set tcp-mss 1460

set vdom "root"

set ip 10.254.254.2 255.255.255.255

set type tunnel

set interface "Loopback1"

set vdom "root"

set ip 64.1.1.1 255.255.255.255

set allowaccess ping

set type loopback

set role lan

config router static

edit 20

set dst 10.255.255.1 255.255.255.255

set device "IPSEC"

set dst 172.16.10.1 255.255.255.255

set device "GRE"

config system gre-tunnel

edit "GRE"

set interface "IPSEC"

set remote-gw 10.255.255.1

set local-gw 10.255.255.2

set keepalive-interval 10

set keepalive-failtimes 3

config vpn ipsec phase1-interface

edit "IPSEC"

set interface "Loopback1"

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 3des-md5

set remote-gw 4.1.1.10

set psksecret ENC …

config vpn ipsec phase2-interface

edit "IPSEC"

set phase1name "IPSEC"

set proposal 3des-md5

set dhgrp 5 2

set protocol 47

set keylifeseconds 86200

Verification:

FGT1 # get vpn ipsec tunnel summary

'IPSEC' 64.1.1.1:4500 selectors(total,up): 1/1 rx(pkt,err): 14342/0 tx(pkt,err): 14343/3

FGT1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

V - BGP VPNv4

* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 10.1.1.1, port2, [1/0]

C 10.1.1.0/24 is directly connected, port2

C 10.254.1.0/24 is directly connected, port1

C 10.255.255.1/32 is directly connected, IPSEC

S 10.255.255.2/32 [10/0] via IPSEC tunnel 64.1.1.1, [1/0]

C 172.16.10.1/32 is directly connected, GRE

C 172.16.10.2/32 is directly connected, GRE

FGT1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=IPSEC ver=1 serial=1 10.1.1.10:4500->64.1.1.1:4500 nexthop=10.1.1.1 tun_id=64.1.1.1 tun_id6=::64.1.1.1 status=up dst_mtu=1500 weight=1

bound_if=4 real_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=3 olast=3 ad=/0

stat: rxp=14346 txp=14347 rxb=1090296 txb=1090380

dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=1

natt: mode=keepalive draft=32 interval=10 remote_port=4500

fec: egress=0 ingress=0

proxyid=NOS-VPN proto=47 sa=1 ref=2 serial=1

src: 47:0.0.0.0-255.255.255.255:0

dst: 47:0.0.0.0-255.255.255.255:0

SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=14188/0B replaywin=2048

seqno=380c esn=0 replaywin_lastseq=0000380b qat=0 rekey=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=85928/86200

dec: spi=41e3fd98 esp=3des key=24 aecf85c83c51ca22ab647699514473d79930c3e0c37f8483

ah=md5 key=16 fd209e7b348e8cb6e40b62f74076cf7f

enc: spi=2a67e730 esp=3des key=24 8dc24958daf1a380f71317d3df4e0d1561d24870b41f3d0f

ah=md5 key=16 5b2106455da91df4f5ef52cf345fc6bd

dec:pkts/bytes=14346/1090296, enc:pkts/bytes=14347/2008584

npu_flag=ff npu_rgwy=0.0.0.0:0 npu_lgwy=0.0.0.0:0 npu_selid=0

dec_npuid=0 enc_npuid=0 dec_engid=0 enc_engid=-1 dec_saidx=-1 enc_saidx=-1

FGT1 #

FGT1 # execute ping 172.16.10.2

PING 172.16.10.2 (172.16.10.2): 56 data bytes

64 bytes from 172.16.10.2: icmp_seq=0 ttl=255 time=4.2 ms

64 bytes from 172.16.10.2: icmp_seq=1 ttl=255 time=2.9 ms

64 bytes from 172.16.10.2: icmp_seq=2 ttl=255 time=3.1 ms

64 bytes from 172.16.10.2: icmp_seq=3 ttl=255 time=3.2 ms

64 bytes from 172.16.10.2: icmp_seq=4 ttl=255 time=3.3 ms

--- 172.16.10.2 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 2.9/3.3/4.2 ms

FGT2 # get vpn ipsec tunnel summary

'IPSEC' 4.1.1.10:4500 selectors(total,up): 1/1 rx(pkt,err): 14364/0 tx(pkt,err): 14363/5

FGT2 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

V - BGP VPNv4

* - candidate default

Routing table for VRF=0

C 4.1.1.0/24 is directly connected, port2

C 10.254.1.0/24 is directly connected, port1

C 10.254.254.2/32 is directly connected, IPSEC

S 10.255.255.1/32 [10/0] via IPSEC tunnel 4.1.1.10, [1/0]

C 64.1.1.1/32 is directly connected, Loopback1

C 172.16.10.1/32 is directly connected, GRE

C 172.16.10.2/32 is directly connected, GRE

FGT2 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=IPSEC ver=1 serial=1 64.1.1.1:4500->4.1.1.10:4500 nexthop=0.0.0.0 tun_id=4.1.1.10 tun_id6=::4.1.1.10 status=up dst_mtu=1500 weight=1

bound_if=0 real_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=1 olast=1 ad=/0

stat: rxp=14366 txp=14365 rxb=1091984 txb=1091900

dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

fec: egress=0 ingress=0

proxyid=IPSEC proto=47 sa=1 ref=3 serial=1

src: 47:0.0.0.0-255.255.255.255:0

dst: 47:0.0.0.0-255.255.255.255:0

SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=14090/0B replaywin=2048

seqno=381e esn=0 replaywin_lastseq=0000381f qat=0 rekey=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=85898/86200

dec: spi=2a67e730 esp=3des key=24 8dc24958daf1a380f71317d3df4e0d1561d24870b41f3d0f

ah=md5 key=16 5b2106455da91df4f5ef52cf345fc6bd

enc: spi=41e3fd98 esp=3des key=24 aecf85c83c51ca22ab647699514473d79930c3e0c37f8483

ah=md5 key=16 fd209e7b348e8cb6e40b62f74076cf7f

dec:pkts/bytes=14366/1091984, enc:pkts/bytes=14365/2011240

npu_flag=ff npu_rgwy=0.0.0.0:0 npu_lgwy=0.0.0.0:0 npu_selid=0

dec_npuid=0 enc_npuid=0 dec_engid=0 enc_engid=-1 dec_saidx=-1 enc_saidx=-1

FGT2 # execute ping 172.16.10.1

PING 172.16.10.1 (172.16.10.1): 56 data bytes

64 bytes from 172.16.10.1: icmp_seq=0 ttl=255 time=4.0 ms

64 bytes from 172.16.10.1: icmp_seq=1 ttl=255 time=3.9 ms

64 bytes from 172.16.10.1: icmp_seq=2 ttl=255 time=2.7 ms

64 bytes from 172.16.10.1: icmp_seq=3 ttl=255 time=3.0 ms

64 bytes from 172.16.10.1: icmp_seq=4 ttl=255 time=3.5 ms

--- 172.16.10.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 2.7/3.4/4.0 ms

To find more details regarding GRE over IPSec and pros and cons, see Technical Tip: Configuring and verifying a GRE over an IPsec tunnel.

Technical Tip: Configuring GRE/IPsec, Local FortiGate behind NAT

You are leaving our website