Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kay_kang
New Contributor

Best practice solution for setup of IPSec VPN behind two NAT devices

Hi,

 

I'm seeking for the best solution for IPSec VPN setup on Fortigate firewall behind two NAT routers.

Branch firewall is behind two NAT routers and DC firewall has only one direct ISP link as attached snapshot.

What would be the best solution for IPSec VPN setup with redundancy in this case of design?

 

IPSec tunnel with NAT.PNG

 

3 REPLIES 3
jintrah_FTNT
Staff
Staff

Hi,

 

You can have redundant vpn setup, this doc might be helpful https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/432685/manual-redundant-vpn-configurati...

 

Best regards,

Jin

bpozdena_FTNT

If we consider that your network remains exactly as depicted on your diagram, there is probably nothing wrong with just configuring a single IPsec tunnel per ISP link on the remote site. For as long as you keep NAT-T enabled all should work just fine. 

 

You then just need to decide on your traffic distribution and fail-over behavior. You can configure the behavior manually with static or policy routes, dynamic routing or perhaps a bit more dynamically with SD-WAN

 

If you are not too familiar with any of this, don't worry. You can try the FortiOS built-in SD-WAN wizard that will configure it all for you. In case you need to troubleshoot the functionality afterwards, it will probably be most efficient to open a support ticket. 

 

HTH,

Boris

HTH,
Boris
vsahu
Staff
Staff

Hello, 

 

You can follow the below article if you want to use the SDWAN with this setup to manage the VPN. This article is having similar setup as yours.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

Regards,

Vsahu

Regards,
Vishal Sahu