Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎09-22-2022 09:26 AM Edited on ‎11-25-2024 04:55 AM By Staff

Article Id 224533

Technical Tip: Implement Source-NAT for IPsec interface

Description This article describes how source-NAT for IPSec interface can be implemented.
Scope FortiGate.
Solution

Let's consider the following network.

 

iskandar_lie_0-1663850740388.png

Scenario:

 

  1.  The client (192.168.15.2) will communicate with the server (192.168.16.2).
  2. IPSec interface is the outgoing interface where source-nat is required to be implemented.

 

Interface 'to_FGT2' is the IPSec interface at FGT1 – by default no IP-address is assigned to IPSec interface.

 

iskandar_lie_1-1663850771920.png

 

Firewall policy from client to server:

 

iskandar_lie_2-1663850796669.png

 

Test to see if the traffic from the client can reach the server

 

Ping from client to server – *failed

 

iskandar_lie_3-1663850817549.png

 

Check session on firewall –  FortiGate source-nats the traffic 192.168.15.2 with 10.191.35.112.

 

iskandar_lie_4-1663850846607.png

 

Trace flow confirms the above session:

 iskandar_lie_5-1663850890285.png

 

FortiGate basic behavior: it will choose the interface with the lowest index number, since the IPSec interface has no IP address, in this case, 'port1' is chosen.

 

If the FortiGate uses Source-NAT for the IPSEC interface on HA environment with enabled mgmt and ha interface and if you configure ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT. Please refer to the following KB article : 

Technical Tip: For HA environment with enabled mgmt and ha interface, how Source-NAT works for IPsec...

 

iskandar_lie_6-1663850918225.png

 

There are at least two workarounds to resolve this situation:

 

  1. Assign an IP address to IPSec interface.

     2. Define an ippool to be used at firewall policy.

 

Workaround 1: 'Assign an IP address to IPSec interface'

 

iskandar_lie_7-1663850964607.png

 

*Firewall policy stays the same as before.

 

Workaround 2: 'Define an ippool to be used at firewall policy'

 

  1. Create IPpool:

 

iskandar_lie_8-1663851040449.png

 

  1. Assign IPpool to the firewall policy:

 

iskandar_lie_9-1663851061505.png

 

Note:

Make sure that the NATed source IP (172.16.1.1) is included in the phase2 selectors as a local address. Otherwise, the traffic will be dropped with msg="No matching IPsec selector, drop". The phase2 selectors can be verified on the GUI -> VPN -> IPsec Tunnels -> Edit -> Phase 2 Selectors.

 

phase2 selector.PNG

 

Since both workarounds will give us the same result, the results for both tests are here:

 

  • Test to see if the traffic from the client can reach the server.
  • Ping from client to server – *success

 

iskandar_lie_10-1663851109129.png

 

Check session on the firewall: FortiGate source-nats the traffic 192.168.15.2 with 172.16.1.1.

 

iskandar_lie_11-1663851127273.png

 

Trace flow confirms the above session:

 

iskandar_lie_12-1663851155972.png

 

Conclusion:

  • By default, IPSec created will have no IP address (if the outgoing interface is used for source-nat purpose) and FortiGate will choose any ip-address interface with the lowest index.
  • There are at least two workarounds to resolve this situation:       

* Assign an IP address to the IPSec interface.

* Define an IPpool to be used at the firewall policy

 

Related documents:

Site-to-site IPsec VPN with two FortiGate devices

Technical Tip: How to configure SNAT with IP pool

Static SNAT

Technical Tip: How to configure an IPsec tunnel with Overlapping Subnets using VIPs
17538
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.