Created on
09-22-2022
09:26 AM
Edited on
03-03-2025
12:37 AM
By
Jean-Philippe_P
Description | This article describes how source-NAT for IPSec interface can be implemented. |
Scope | FortiGate. |
Solution |
Let's consider the following network.
Scenario:
Interface 'to_FGT2' is the IPSec interface at FGT1. By default, no IP-address is assigned to the IPSec interface.
Firewall policy from client to server:
Test to see if the traffic from the client can reach the server. Ping from client to server – *failed
Check the session on the firewall. FortiGate source-nats the traffic 192.168.15.2 with 10.191.35.112.
Trace flow confirms the above session:
FortiGate basic behavior: it will choose the interface with the lowest index number, since the IPSec interface has no IP address, in this case, 'port1' is chosen.
The command 'diagnose netlink interface list' can be used to verify the interface index.
If the FortiGate uses Source-NAT for the IPSEC interface on the HA environment with enabled mgmt and ha interface and if configuring ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT. Refer to the following KB article :
There are at least two workarounds to resolve this situation:
Workaround 1: 'Assign an IP address to IPSec interface'.
*Firewall policy stays the same as before.
Workaround 2: 'Define an ippool to be used at firewall policy'.
If Central NAT is utilized for NAT translation, ensure to configure a central NAT policy to implement SNAT.
Example: Make sure an IP pool is created before setting up a Central SNAT rule.
To create a Central SNAT:
CLI configuration :
config firewall central-snat-map
Related article: Technical Tip: How to configure source port translation using Central SNAT policy
Note: Make sure that the NATed source IP (172.16.1.1) is included in the phase2 selectors as a local address. Otherwise, the traffic will be dropped with msg="No matching IPsec selector, drop". The phase2 selectors can be verified on the GUI -> VPN -> IPsec Tunnels -> Edit -> Phase 2 Selectors.
Since both workarounds will give us the same result, the results for both tests are here:
Test to see if the traffic from the client can reach the server. Ping from client to server – *success.
Check session on the firewall: FortiGate source-nats the traffic 192.168.15.2 with 172.16.1.1.
Trace flow confirms the above session:
Conclusion:
Related documents: Site-to-site IPsec VPN with two FortiGate devices Technical Tip: How to configure SNAT with IP pool Technical Tip: How to configure an IPsec tunnel with Overlapping Subnets using VIPs |