Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nevan
Staff
Staff

Created on ‎06-21-2025 12:50 PM Edited on ‎06-23-2025 01:35 AM By Community Manager

Article Id 397465

Troubleshooting Tip: IPsec tunnel fails in NAT enabled environment 'No matching IPsec selector, drop'

Description This article describes the scenario when NAT with IP pool is enabled before the IPsec tunnel for the source or local network subnets, failing due to not matching the phase2 selectors. 
Scope FortiGate, FortiVM.
Solution

When the IPsec tunnel is initiated in FortiGate, and for the local network subnet or source, a floating NAT IP or an IP pool is being used, the NAT happens before the traffic enters the tunnel. In that case, the NAT IP  address object or address group, or the range, should be the source selector for the phase2 configuration instead of the local subnet or network.

 

If the LAN address object is being set in the phase2 selector, the traffic will not match the correct phase2 selector and will be dropped. The debug flow will show the dropped packet report. 


2025-06-20 15:54:28 id=65308 trace_id=28 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.10.60:19571->169.168.0.198:2048) tun_id=0.0.0.0
from port3. type=8, code=0, id=19571, seq=279."
2025-06-20 15:54:28 id=65308 trace_id=28 func=resolve_ip_tuple_fast line=5974 msg="Find an existing session, id-0dab619a, original direction"
2025-06-20 15:54:28 id=65308 trace_id=28 func=ipv4_fast_cb line=53 msg="enter fast path"
2025-06-20 15:54:28 id=65308 trace_id=28 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CEDA_BTC, tun_id=0.0.0.0"
2025-06-20 15:54:28 id=65308 trace_id=28 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel CEDA_BTC, tun_id=169.168.0.198, vrf 0"
2025-06-20 15:54:28 id=65308 trace_id=28 func=ipsec_common_output4 line=917 msg="No matching IPsec selector, drop"

 

Here, if the local network host or server IP range is from 1.2.3.50 to 1.2.3.55 and the NAT pool range is from 192.168.10.60 to 192.168.10.70, which are doing masquerading for the LAN IPs, the IP pool configuration can be like below:

 

CLI:

 

config firewall ippool

    edit "IPOOL_for_VPN"
        set type fixed-port-range
        set startip 1.2.3.50
        set endip 1.2.3.55
        set source-startip 192.168.10.60
        set source-endip 192.168.10.70
    next
end

 

For the NAT IP range, an address range object has to be created. 

 

config firewall address
    edit "POOL_ADDR_GROUP"
        set type iprange
        set start-ip 192.168.10.60
        set end-ip 192.168.10.70
    next
end

 

Once the object is created, it has to be set in the source option in phase2 selector.

 

config vpn ipsec phase2-interface
    edit "IPSec_VPN"
        set phase1name "IPSec_VPN"
        set src-addr-type name
        set dst-addr-type name
        set src-name "POOL_ADDR_GROUP" <----
        set dst-name "IPSec_VPN_remote"
    next
end

 

Incoming and outgoing policies should have to have the address object 'POOL_ADDR_GROUP' in source and destination addresses. Once it has been set, the phase 2 selectors will find the appropriate match for the remote and local host and continue passing traffic after performing NAT for the local subnets or networks.

 

Related article:
Troubleshooting Tip: IPsec VPN Tunnel Errors Due to Traffic Not Matching Selectors
531
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.