FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 224533
Description This article describes how source-NAT for IPSec interface can be implemented.
Scope FortiGate.
Solution

Let's consider the following network.

 

iskandar_lie_0-1663850740388.png

 

Scenario:

 

  1. The client (192.168.15.2) will communicate with the server (192.168.16.2).
  2. IPSec interface is the outgoing interface where source-nat is required to be implemented.

 

Interface 'to_FGT2' is the IPSec interface at FGT1. By default, no IP-address is assigned to the IPSec interface.

 

iskandar_lie_1-1663850771920.png

 

Firewall policy from client to server:

 

iskandar_lie_2-1663850796669.png

 

Test to see if the traffic from the client can reach the server.

Ping from client to server – *failed

 

iskandar_lie_3-1663850817549.png

 

Check the session on the firewall. FortiGate source-nats the traffic 192.168.15.2 with 10.191.35.112.

 

iskandar_lie_4-1663850846607.png

 

Trace flow confirms the above session:

 iskandar_lie_5-1663850890285.png

 

FortiGate basic behavior: it will choose the interface with the lowest index number, since the IPSec interface has no IP address, in this case, 'port1' is chosen. 

 

The command 'diagnose netlink interface list' can be used to verify the interface index. 

 

33.jpg

 

If the FortiGate uses Source-NAT for the IPSEC interface on the HA environment with enabled mgmt and ha interface and if configuring ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT. Refer to the following KB article : 

Technical Tip: For HA environment with enabled mgmt and ha interface, how Source-NAT works for IPsec...

 

iskandar_lie_6-1663850918225.png

 

There are at least two workarounds to resolve this situation:

  1. Assign an IP address to the IPSec interface.
  2. Define an ippool to be used at firewall policy.

 

Workaround 1: 'Assign an IP address to IPSec interface'.

 

iskandar_lie_7-1663850964607.png

 

*Firewall policy stays the same as before.

 

Workaround 2: 'Define an ippool to be used at firewall policy'.

 

  1. Create IPpool:

 

iskandar_lie_8-1663851040449.png

 

  1. Assign IPpool to the firewall policy:

 

iskandar_lie_9-1663851061505.png

 

If Central NAT is utilized for NAT translation, ensure to configure a central NAT policy to implement SNAT.

 

Example:

Make sure an IP pool is created before setting up a Central SNAT rule.

 

To create a Central SNAT:

  1. Navigate to Policy & Objects.
  2. Select Central SNAT.
  3. Select 'Create New' and fill in the following details:
  • Incoming Interface: port3 (local LAN interface).
  • Outgoing Interface: to_fgt2 (IPsec tunnel name).
  • Source Address: to_fgt2_local (local firewall LAN source IP address).
  • IP Pool: Select the created IP pool, e.g., 'ippool_for_ipsec'.

 

snat.png

 

CLI configuration : 

 

config firewall central-snat-map
    edit 1
        set uuid 038f5e3a-f6ce-51ef-585c-3f7d708f8e70
        set srcintf "port3"
        set dstintf "to_FGT2"
        set orig-addr "to_FGT2_local"
        set dst-addr "all"
        set nat-ippool "ippool_for_ipsec"
    next
end

 

Related article:

Technical Tip: How to configure source port translation using Central SNAT policy

 

Note:

Make sure that the NATed source IP (172.16.1.1) is included in the phase2 selectors as a local address. Otherwise, the traffic will be dropped with msg="No matching IPsec selector, drop". The phase2 selectors can be verified on the GUI -> VPN -> IPsec Tunnels -> Edit -> Phase 2 Selectors.

 

phase2 selector.PNG

 

Since both workarounds will give us the same result, the results for both tests are here:

 

Test to see if the traffic from the client can reach the server.

Ping from client to server – *success.

 

iskandar_lie_10-1663851109129.png

 

Check session on the firewall: FortiGate source-nats the traffic 192.168.15.2 with 172.16.1.1.

 

iskandar_lie_11-1663851127273.png

 

Trace flow confirms the above session:

 

iskandar_lie_12-1663851155972.png

 

Conclusion:

  • By default, IPSec created will have no IP address (if the outgoing interface is used for source-nat purposes) and FortiGate will choose any ip-address interface with the lowest index.
  • There are at least two workarounds to resolve this situation:       
    • Assign an IP address to the IPSec interface.
    • Define an IPpool to be used at the firewall policy.

 

Related documents:

Site-to-site IPsec VPN with two FortiGate devices

Technical Tip: How to configure SNAT with IP pool

Static SNAT

Technical Tip: How to configure an IPsec tunnel with Overlapping Subnets using VIPs