Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎09-22-2022 09:26 AM Edited on ‎12-20-2023 09:13 PM By Community Manager

Article Id 224533

Technical Tip: Implement Source-NAT for IPsec interface

Description This article describers how source-nat for IPSec interface can be implemented.
Scope Test on : FortiGate v. 6.4.10
Solution

Let's consider the following network.

 

iskandar_lie_0-1663850740388.png

Scenario:

 

  1.  The client (192.168.15.2) will communicate with the server (192.168.16.2).
  2. IPSec interface is the outgoing interface where source-nat is required to be implemented.

 

Interface 'to_FGT2' is the IPSec interface at FGT1 – by default no IP-address is assigned to IPSec interface.

 

iskandar_lie_1-1663850771920.png

 

Firewall policy from client to server:

 

iskandar_lie_2-1663850796669.png

 

Test to see if the traffic from the client can reach the server

 

Ping from client to server – *failed

 

iskandar_lie_3-1663850817549.png

 

Check session on firewall –  FortiGate source-nats the traffic 192.168.15.2 with 10.191.35.112.

 

iskandar_lie_4-1663850846607.png

 

Trace flow confirms the above session:

 iskandar_lie_5-1663850890285.png

 

FortiGate basic behavior: it will choose the interface with the lowest index number, since the IPSec interface has no IP address, in this case 'port1' is chosen.

 

If the FortiGate uses Source-NAT for IPSEC interface on HA environment with enabled mgmt and ha interface and if you configure ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT. Please refer to the following KB article : 

 Technical Tip: For HA environment with enabled mgmt and ha interface, how Source-NAT works for IPsec...

 

iskandar_lie_6-1663850918225.png

 

There are at least two workarounds to resolve this situation:

 

  1. Assign an IP address to IPSec interface.

     2. Define an ippool to be used at firewall policy.

 

Workaround 1: 'Assign an IP address to IPSec interface'

 

iskandar_lie_7-1663850964607.png

 

*Firewall policy stays the same as before.

 

Workaround 2: 'Define an ippool to be used at firewall policy'

 

  1. Create IPpool:

 

iskandar_lie_8-1663851040449.png

 

  1. Assign IPpool to the firewall policy:

 

iskandar_lie_9-1663851061505.png

 

Since both workarounds will give us the same result, the results for both tests are here:

 

  • Test to see if the traffic from the client can reach the server.
  • Ping from client to server – *success

 

iskandar_lie_10-1663851109129.png

 

Check session on the firewall: FortiGate source-nats the traffic 192.168.15.2 with 172.16.1.1.

 

iskandar_lie_11-1663851127273.png

 

Trace flow confirms the above session:

 

iskandar_lie_12-1663851155972.png

 

Conclusion:

 

  • By default, IPSec created will have no IP address (if the outgoing interface is used for source-nat purpose) and FortiGate will choose any ip-address interface with the lowest index.
  • There are at least two workarounds to resolve this situation:       

           *Assign an IP address to the IPSec interface

           *Define an IPpool to be used at firewall policy

 

Related documents:

Site-to-site IPsec VPN with two FortiGate devices

Technical Tip: How to configure SNAT with IP pool

Static SNAT
10586
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.