Created on 10-12-2004 12:00 AM Edited on 06-07-2022 12:04 AM By Anthony_E
Description |
This article describes how to configure a FortiOS v2.80 gateway-to-gateway IPSec tunnel and use outbound NAT for the tunnel to allow connections between overlapped subnet addresses on both sides of the tunnel. This article also describes using multiple policies to overcome the restriction that IPsec-NAT-out does not support address groups.
After the tunnel is established, hosts on each side can communicate with hosts on the other side using mapped IP addresses. For example, the PC (see the diagram below) can communicate with the Server using IP address 40.40.40.200. Firewall 1 maps connections for IP address 30.30.30.200 to IP address 10.1.1.1. The router than maps this IP address to 172.16.254.10.
Note. This feature is not available in v2.80 MR3 build 184 and MR4 build 219. |
Products |
The sample configuration uses the following versions of the FortiGate Antivirus Firewall:
- FortiGate-300 v2.80 build 249. - FortiGate-400 v2.80 build 249. |
Network |
VPN policy 1.
local:10.1.1.0/24-remote:40.40.40.0/24 local subnet NAT out as 20.20.20.0/24
VPN policy 2
local:172.16.254.0/24-remote:40.40.40.0/24 local subnet NAT out as 30.30.30.0/24
VPN policy.
local:10.1.1.0/24 remote:20.20.20.0/24 and 30.30.30.0/24 local subnet NAT out as 40.40.40.0/24 |
Prerequisites |
The configuration is based on the following assumptions:
- The IP address of the external interface for both firewalls is the public IP address.
- The default gateway for both firewalls is pointed to a address on the external interface. |
Configurations |
Cisco router configuration.
interface fasterethernet 0/0 ip address 10.1.1.1 255.255.255.0 interface fasterethernet 0/1 ip address 172.16.254.1 255.255.255.0 ip route 40.40.40.0 255.255.255.0 10.1.1.10
Firewall1 FortiGate-300 configuration.
# config system interface edit 'internal' set ip 10.1.1.10 255.255.255.0 next edit 'external' set ip 64.114.95.228 255.255.255.128 next end
# config vpn ipsec phase1 edit 'FG400' set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set psksecret 123456 set remotegw 64.114.95.229 next end
# config vpn ipsec phase2 edit 'FG300' set pfs enable set phase1name FG400 set proposal 3des-sha1 3des-md5 set replay enable set wildcardid enable next end
# config firewall address edit 'all' next edit 'vpn-local-10' set subnet 10.1.1.0 255.255.255.0 next edit 'vpn-local-172' set subnet 172.16.254.0 255.255.255.0 next edit 'vpn-remote-40' set subnet 40.40.40.0 255.255.255.0 next end
# config firewall policy edit 3 set srcintf 'internal' set dstintf 'external' set srcaddr 'vpn-local-172' set dstaddr 'vpn-remote-40' set action encrypt set schedule 'always' set service 'ANY' set natip 30.30.30.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel 'FG300' next edit 2 set srcintf 'internal' set dstintf 'external' set srcaddr 'vpn-local-10' set dstaddr 'vpn-remote-40' set action encrypt set schedule 'always' set service 'ANY' set natip 20.20.20.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel 'FG300' next end
# config router static edit 2 set device 'internal' set dst 172.16.254.0 255.255.255.0 set gateway 10.1.1.1 next end
Firewall2 FortiGate-400 configuration.
# config vpn ipsec phase1 edit 'FG300' set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set psksecret 123456 set remotegw 64.114.95.228 next end
# config vpn ipsec phase2 edit 'FG300' set pfs enable set phase1name FG300 set proposal 3des-sha1 3des-md5 set replay enable set wildcardid enable next end
# config firewall address edit 'all' next edit 'vpn-remote-20' set subnet 20.20.20.0 255.255.255.0 next edit 'vpn-remote-30' set subnet 30.30.30.0 255.255.255.0 next edit 'vpn-local' set subnet 10.1.1.0 255.255.255.0 next end
# config firewall addrgrp edit 'vpn-remote' set member 'vpn-remote-20' 'vpn-remote-30' next end
# config firewall policy edit 1 set srcintf 'port1' set dstintf 'port2' set srcaddr 'vpn-local' set dstaddr 'vpn-remote' set action encrypt set schedule 'always' set service 'ANY' set natip 40.40.40.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel 'FG300' next end |
Verifying the results |
Verifying on the PC and Server.
PC is able to access Server ping 30.30.30.10 telnet 30.30.30.10 Server is able to access PC ping 40.40.40.1
Verifying the Firewall1 FG300 status.
Fortigate-300 # diag vpn t l tunnel[8]:FG300, gateway:64.114.95.229:500, hub=, option=38 eroute[2]:{[172.16.254.*]}->{[40.40.40.*]}
eroute[2]:{[10.1.1.*]}->{[40.40.40.*]}
channel[2]:64.114.95.228,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=6380, timeout=1776 itdb[1]:mtu=1434, cur_bytes=2552, cur_packets=29, spi=9f23f35f, replay=64 3DES=bdf1f899c964123f33d260a8d1fc2dc0f806c5703d0b4cbc iv=0000000000000000 SHA1_HMAC=f34f3cee9324e7d55d66af5bd51fb45a0efe054e otdb[1]:mtu=1434, cur_bytes=2552, cur_packets=29, spi=48f32f37, replay=64 3DES=2a7037ac9ed3d76f6184b86aea63edf9ab3859fd37eef53a iv=edfea69f26323700 SHA1_HMAC=302b6c99a26b3acb11e03fae2e15f7b082e7a1b6
Fortigate-300 # diag sys sess li session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype= session ha_id=0 hakey=10498 tunnel=/FG300
state=re may_dirty statistic(bytes/packets): org=6384/76 reply=6384/76 tuples=2 orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=10.1.1.1/64.114.95.254 hook=pre dir=org act=dnat 40.40.40.1:4438->20.20.20.1:8(10.1.1.1:8)
hook=post dir=reply act=snat 10.1.1.1:8->40.40.40.1:0(20.20.20.1:4438)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=00000f17 tos=ff/ff
session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype= session ha_id=0 hakey=9739 tunnel=/FG300
state=re may_dirty statistic(bytes/packets): org=6888/82 reply=6888/82 tuples=2 orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=10.1.1.1/64.114.95.254 hook=pre dir=org act=dnat 40.40.40.1:4182->30.30.30.10:8(172.16.254.10:8)
hook=post dir=reply act=snat 172.16.254.10:8->40.40.40.1:0(30.30.30.10:4182)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=00000f12 tos=ff/ff
Verifying the Firewall2 status.
Fortigate-400 # diag vpn t l tunnel[6]:FG300, gateway:64.114.95.228:500, hub=, option=38 eroute[2]:{[10.1.1.*]}->{[20.20.20.*][30.30.30.*]}
channel[2]:64.114.95.229,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=83820, timeout=1598 itdb[1]:mtu=1434, cur_bytes=33528, cur_packets=381, spi=48f32f37, replay=64 3DES=2a7037ac9ed3d76f6184b86aea63edf9ab3859fd37eef53a iv=0000000000000000 SHA1_HMAC=302b6c99a26b3acb11e03fae2e15f7b082e7a1b6 otdb[1]:mtu=1434, cur_bytes=33528, cur_packets=381, spi=9f23f35f, replay=64 3DES=bdf1f899c964123f33d260a8d1fc2dc0f806c5703d0b4cbc iv=05784ee548f10a00 SHA1_HMAC=f34f3cee9324e7d55d66af5bd51fb45a0efe054e
Fortigate-400 # diag sys sess l session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype= session ha_id=0 hakey=5378 tunnel=FG300/
state=oe may_dirty statistic(bytes/packets): org=20076/239 reply=20076/239 tuples=2 orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/10.1.1.1 hook=post dir=org act=snat 10.1.1.1:4438->20.20.20.1:8(40.40.40.1:4438)
hook=pre dir=reply act=dnat 20.20.20.1:4438->40.40.40.1:0(10.1.1.1:4438)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=00001253 tos=ff/ff
session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype= session ha_id=0 hakey=7947 tunnel=FG300/
state=oe may_dirty statistic(bytes/packets): org=20580/245 reply=20580/245 tuples=2 orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/10.1.1.1 hook=post dir=org act=snat 10.1.1.1:4182->30.30.30.10:8(40.40.40.1:4182)
hook=pre dir=reply act=dnat 30.30.30.10:4182->40.40.40.1:0(10.1.1.1:4182)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=0000124e tos=ff/ff |
Troubleshooting |
# diag deb enable: Enable output on remote console. # diag deb app ike 2: Display IPsec IKE negotiates. # diag sniff packets: Display packets coming in and out on interfaces. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.