Technical Tip: Configuring Hairpin NAT using IPSEC and BGP

ekrishnan · ‎01-31-2024

Description

This article describes how IPSEC peer (remote site) can access the Server in the local FortiGate which is located in LAN using Public IP which is not associated anywhere in the local FortiGate.

Scope

FortiGate.

Solution

In this setup 2 FortiGates are being used:

This setup uses BGP as the routing protocol therefore tunnel IPs are configured:

FGT1 tunnel Ip: 10.5.5.2

FGT2 tunnel Ip: 10.5.5.1

Server connected in Port2: 10.103.0.2

Host on FGT2 which will need access to the server: 10.232.0.2

FGT1 port1 is the internet link and its IP: 10.47.2.51

Public IP which will be used to access the Server: 202.13.2.2

So the flow is such:

10.232.0.2 will try accessing the server using 202.13.2.2

This article focuses on the Hairpin nat so the BGP and IPSEC config are not described but some of it are as below:

Phase2 selectors should allow 'all' on both sides.
BGP on FGT1 should advertise 202.13.2.2.
BGP on FGT should advertise 10.232.0.2.

Configuration for BGP on FGT1:

config router bgp
set as 65400
set router-id 172.2.2.1
set network-import-check disable
config neighbor
edit "10.5.5.1"
set interface "WTunnel" <----- Ipsec tunnel name.
set remote-as 65400
next
end
config network
edit 2
set prefix 202.13.2.2 255.255.255.255
next
end

BGP configuration on FGT2:

config router bgp
set as 65400
set ibgp-multipath enable
config neighbor
edit "10.5.5.2"
set interface "Easytunnel" <----- Tunnel name.
set remote-as 65400
next
end
config network
edit 1
set prefix 10.232.0.0 255.255.240.0
next
end

Verification of advertisement:

On FGT2:

get router info bgp network
VRF 0 BGP table version is 2, local router ID is 10.232.2.36
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i202.13.2.2/32 10.5.5.2 0 100 0 0 i <-/1>

On FGT1:

get router info bgp network
VRF 0 BGP table version is 6, local router ID is 172.2.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.232.0.0/20 10.5.5.1 0 100 0 0 i <-/1>

Once all this is set, the focus is on the VIP config:

As mentioned earlier, the IP 202.13.2.2 is not configured or associated anywhere in FGT1 except for the VIP below,

config firewall vip
edit "to actual server"
set uuid 52599472-b9f8-51ee-b657-043e00cffaa2
set extip 202.13.2.2 <----- Public IP.
set mappedip "10.103.0.2" <----- Actual server IP.
set extintf "port1"
set portforward enable
set extport 2222
set mapped port 135
next
end

Associated Firewall policies on FGT1:

One from the IPSEC tunnel towards the WAN interface which in this case is Wtunnel -----> Port1.
From Wan to LAN interface which in this case is: Port1 ------> Port2.

config firewall policy

edit 9
set name "From W tunnel"
set uuid c9e98a5a-b9db-51ee-852c-f378cb0175a3
set srcintf "WTunnel" <----- Ipsec interface.
set dstintf "port1" <----- Wan.
set action accept
set srcaddr "10.232.0.2-remote"
set dstaddr "202.13.2.2"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 11
set name "ext-int"
set uuid 86e92fcc-b9e4-51ee-e496-6c831132ccfa
set srcintf "port1" <----- Wan1.
set dstintf "port2" <----- LAN.
set action accept
set srcaddr "all"
set dstaddr "to actual server" <----- VIP configured.
set schedule "always"
set service "ALL"
set logtraffic all
next

Note: No NAT is enabled in the firewall policy however this is based on the network setup and if NAT is required it can be enabled.

Also the firewall policy ID: 11 is specified to allow all, this can be restricted to allow the more specific IP example: 202.13.2.2.
On FGT2 it will be the usual firewall policy config to and fro Ipsec tunnel as this kb explains on Hairpin NAT and since it is done on FGT1, the firewall policy config on FGT2 is not mentioned.

Test scenario: Telnet was done on Host 10.232.0.2 to 202.13.2.2 for port 2222.

On Host 10.232.0.2

cmd: telnet 202.13.2.2 2222

Debug Flow results:

# id=65308 trace_id=562 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=6, 10.232.0.2:58958->202.13.2.2:2222) tun_id=10.47.2.36 from WTunnel. flag [S], seq 1586407245, ack 0, win 64240"
id=65308 trace_id=562 func=init_ip_session_common line=6043 msg="allocate a new session-00700873, tun_id=10.47.2.36"
id=65308 trace_id=562 func=iprope_dnat_check line=5302 msg="in-[WTunnel], out-[]"
id=65308 trace_id=562 func=iprope_dnat_tree_check line=824 msg="len=1"
id=65308 trace_id=562 func=__iprope_check_one_dnat_policy line=5167 msg="checking gnum-100000 policy-1"
id=65308 trace_id=562 func=get_new_addr line=1239 msg="find DNAT: IP-10.103.0.2, port-135"
id=65308 trace_id=562 func=__iprope_check_one_dnat_policy line=5257 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000008"
id=65308 trace_id=562 func=iprope_dnat_check line=5314 msg="result: skb_flags-02000008, vid-1, ret-matched, act-accept, flag-00000100"
id=65308 trace_id=562 func=iprope_fwd_check line=794 msg="in-[WTunnel], out-[port1], skb_flags-02000008, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=562 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=83, len=2"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-9, ret-matched, act-accept"
id=65308 trace_id=562 func=__iprope_user_identity_check line=1833 msg="ret-matched"
id=65308 trace_id=562 func=__iprope_check line=2307 msg="gnum-4e20, check-0000000063659cce"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=562 func=__iprope_check line=2324 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2277 msg="policy-9 is matched, act-accept"
id=65308 trace_id=562 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-9"
id=65308 trace_id=562 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-9"
id=65308 trace_id=562 func=fw_pre_route_handler line=184 msg="VIP-10.103.0.2:135, outdev-unknown"
id=65308 trace_id=562 func=__ip_session_run_tuple line=3445 msg="DNAT 202.13.2.2:2222->10.103.0.2:135"
id=65308 trace_id=562 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=00000000 gw-0.0.0.0 via port2"
id=65308 trace_id=562 func=iprope_fwd_check line=794 msg="in-[port1], out-[port2], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=562 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=28, len=2"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-11, ret-matched, act-accept"
id=65308 trace_id=562 func=__iprope_user_identity_check line=1833 msg="ret-matched"
id=65308 trace_id=562 func=__iprope_check line=2307 msg="gnum-4e20, check-0000000063659cce"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=562 func=__iprope_check line=2324 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=562 func=__iprope_check_one_policy line=2277 msg="policy-11 is matched, act-accept"
id=65308 trace_id=562 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-11"
id=65308 trace_id=562 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-11"
id=65308 trace_id=562 func=fw_forward_handler line=1000 msg="Allowed by Policy-11:"
id=65308 trace_id=562 func=ip_session_confirm_final line=3090 msg="npu_state=0x100, hook=4"
id=65308 trace_id=562 func=__ip_session_run_tuple line=3486 msg="run helper-dcerpc(dir=original)"
id=65308 trace_id=563 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=6, 10.103.0.2:135->10.232.0.2:58958) tun_id=0.0.0.0 from port2. flag [S.], seq 2555245847, ack 1586407246, win 65535"
id=65308 trace_id=563 func=resolve_ip_tuple_fast line=5945 msg="Find an existing session, id-00700873, reply direction"
id=65308 trace_id=563 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=00000000 gw-10.47.2.36 via WTunnel"
id=65308 trace_id=563 func=npu_handle_session44 line=1322 msg="Trying to offloading session from port2 to WTunnel, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000100"
id=65308 trace_id=563 func=fw_forward_dirty_handler line=438 msg="state=00000204, state2=00000001, npu_state=00000100"
id=65308 trace_id=563 func=ip_session_core_in line=6559 msg="dir-1, tun_id=10.47.2.36"
id=65308 trace_id=563 func=__ip_session_run_tuple line=3432 msg="SNAT 10.103.0.2->202.13.2.2:2222"
id=65308 trace_id=563 func=__ip_session_run_tuple line=3486 msg="run helper-dcerpc(dir=reply)"
id=65308 trace_id=563 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface WTunnel, tun_id=10.47.2.36"
id=65308 trace_id=563 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel WTunnel vrf 0"
id=65308 trace_id=563 func=esp_output4 line=921 msg="IPsec encrypt/auth"
id=65308 trace_id=563 func=nipsec_set_ipsec_sa_enc line=920 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={WTunnel/WowTunnel/0xae190160}), npudev=-1, skb-dev=port1"
id=65308 trace_id=563 func=nipsec_set_ipsec_sa_enc line=965 msg="IPSec encrypt SA (p1/p2/spi={WTunnel/WowTunnel/0xae190160}) offloading-check failed, reason_code=2."
id=65308 trace_id=563 func=ipsec_output_finish line=641 msg="send to 0.0.0.0 via intf-port1"
id=65308 trace_id=564 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=6, 10.232.0.2:58958->202.13.2.2:2222) tun_id=10.47.2.36 from WTunnel. flag [.], seq 1586407246, ack 2555245848, win 1026"
id=65308 trace_id=564 func=resolve_ip_tuple_fast line=5945 msg="Find an existing session, id-00700873, original direction"
id=65308 trace_id=564 func=__ip_session_run_tuple line=3445 msg="DNAT 202.13.2.2:2222->10.103.0.2:135"
id=65308 trace_id=564 func=npu_handle_session44 line=1322 msg="Trying to offloading session from WTunnel to port2, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000100"
id=65308 trace_id=564 func=fw_forward_dirty_handler line=438 msg="state=00010204, state2=00000001, npu_state=00000100"
id=65308 trace_id=564 func=__ip_session_run_tuple line=3486 msg="run helper-dcerpc(dir=original)"

Technical Tip: Configuring Hairpin NAT using IPSEC and BGP

You are leaving our website