Created on 09-22-2022 09:26 AM Edited on 12-20-2023 09:13 PM By Anthony_E
Description | This article describers how source-nat for IPSec interface can be implemented. |
Scope | Test on : FortiGate v. 6.4.10 |
Solution |
Let's consider the following network.
Scenario:
Interface 'to_FGT2' is the IPSec interface at FGT1 – by default no IP-address is assigned to IPSec interface.
Firewall policy from client to server:
Test to see if the traffic from the client can reach the server
Ping from client to server – *failed
Check session on firewall – FortiGate source-nats the traffic 192.168.15.2 with 10.191.35.112.
Trace flow confirms the above session:
FortiGate basic behavior: it will choose the interface with the lowest index number, since the IPSec interface has no IP address, in this case 'port1' is chosen.
If the FortiGate uses Source-NAT for IPSEC interface on HA environment with enabled mgmt and ha interface and if you configure ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT. Please refer to the following KB article :
There are at least two workarounds to resolve this situation:
2. Define an ippool to be used at firewall policy.
Workaround 1: 'Assign an IP address to IPSec interface'
*Firewall policy stays the same as before.
Workaround 2: 'Define an ippool to be used at firewall policy'
Since both workarounds will give us the same result, the results for both tests are here:
Check session on the firewall: FortiGate source-nats the traffic 192.168.15.2 with 172.16.1.1.
Trace flow confirms the above session:
Conclusion:
*Assign an IP address to the IPSec interface *Define an IPpool to be used at firewall policy
Related documents: Site-to-site IPsec VPN with two FortiGate devices |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.