Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff
Staff

Created on ‎09-06-2024 07:56 AM

Article Id 339595

Technical Tip: Using VIP with specific phase2 selectors for bidirectional traffic requirements

Description This article describes how to use a VIP object in FortiGate for bidirectional traffic when the requirement involves a specific Phase 2 selector, without needing to use an IP Pool for SNAT. This setup is typically necessary for business-to-business connections where both parties need to specify which IP addresses are permitted to communicate.
Scope 7.0, 7.2, 7.4.
Solution

In this diagram, both Server A and Server B need to communicate with each other through the IPsec tunnel, with either side allowed to initiate the traffic. Server A is required to use 100.100.100.100 as its NAT IP.


diagram.png

 

Phase2-interface configuration

 

config vpn ipsec phase2-interface

edit "ToSiteB"

set phase1name "ToSiteB"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-subnet 100.100.100.100 255.255.255.255
set dst-subnet 200.200.200.200 255.255.255.255

next

Only the VIP object is required in Site A (FortiGate) for this requirement to be fulfilled.

 

config firewall vip

edit "ServerA-SiteB-VIP"

set uuid 1cd14a88-6b51-51ef-736a-2feef4af85c7
set extip 100.100.100.100
set mappedip "192.168.1.100"
set extintf "ToSiteB"
set nat-source-vip enable // FortiGate will perform SNAT for 192.168.1.100 to its external ip (100.100.100.100)
set srcintf-filter "ToSiteB" // FortiGate will perform SNAT 192.168.1.100 ONLY if traffic will go out via "ToSiteB"

next

end

For outbound traffic (Server A to Server B):

 

  1. Create a firewall policy and ensure the NAT option is enabled.


config firewall policy

edit 4

set name "FromLANtoSiteB"
set srcintf "port7"
set dstintf "ToSiteB"
set action accept
set srcaddr "ServerA"
set dstaddr "SiteB"
set schedule "always"
set service "ALL"
set nat enable

next

 

For inbound traffic (Server B to Server A):

 

  1. Create a firewall policy and ensure the VIP object is used in the destination field.

config firewall policy

edit 3

set name "FromSiteBtoLAN"
set srcintf "ToSiteB"
set dstintf "port7"
set action accept
set srcaddr "SiteB"
set dstaddr "ServerA-SiteB-VIP"
set schedule "always"
set service "ALL"

end
160
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.