Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bob654
New Contributor

IPSec Tunnel with NAT - packets not received

Hi,

I've to configure an IPSec tunnel between a fortigate VM (local) and a FortiWiFi 40F (remote).
Remote site have a network configuration alreday used by another IPSec tunnel so i've to add NAT on this tunnel.

 

Tunnel is UP and configurations seems to be OK, but no packet are received on remote site.

 

Some informations :
<Local Networks> : 10.9.0.0/16 ; 10.20.0.0/16
<Remote Network> : 192.168.1.0/24
<Remote Network with NAT> : 192.168.10.0/24

 

My configuration :

  • on VM :

- IPSEC Tunnel :

local address : <Local Networks>
Remote Address : <Remote Network with NAT>

- Static route :

set dst 192.168.10.0 255.255.255.0
set device "vpn"

- Firewall policy :

Accept ALL from <Local Networks> to <Remote Network with NAT>

 

  • on FortiWiFi

- IPSEC Tunnel :

local address : <Remote Network with NAT>
Remote Address : <Local Networks>

- Static route :

set dst 10.0.0.0 255.0.0.0
set device "vpn"

- Firewall policy :

config firewall policy
edit 1

set srcintf "internal"
set dstintf "vpn"
set srcaddr "<Remote Network>"
set dstaddr "<Local Networks>"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname "ip-pool"
set nat enable

 

config firewall ippool
edit "ip-pool"

set startip 192.168.10.1
set endip 192.168.10.254
set source-startip 192.168.1.1
set source-endip 192.168.1.254


config firewall policy
edit 2

set srcintf "vpn"
set dstintf "internal"
set srcaddr "<Local Networks>"
set dstaddr "vip"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all

 

config firewall vip
edit "vip"

set extip 192.168.10.1-192.168.10.254
set mappedip "192.168.1.1-192.168.1.254"

 

Problem :
On local :

diagnose sniffer packet vpn
4.101766 10.20.x.x -> 192.168.10.x: icmp: echo request
8.716446 10.20.x.x -> 192.168.10.x: icmp: echo request
13.714733 10.20.x.x -> 192.168.10.x: icmp: echo request
18.715851 10.20.x.x -> 192.168.10.x: icmp: echo request


On remote :

diagnose sniffer packet vpn
<<nothing>>

 

Packets are sent from local but not received by remote.
Have you some ideas ?

1 Solution
bob654
New Contributor

Hi ntaneja,

Thanks to the debug i found the mistake.
My ping tests was done from a VM with multiple NIC. Ping was received from the wrong interface (so wrong IP), and this subnet was not set in the IPSec tunnel.

I've tested from another VM with one NIC in the good vlan and it works fine

 

Thanks for your help !

View solution in original post

2 REPLIES 2
ntaneja
Staff
Staff

 

Hi bob654,

As per the sniffer info you shared from local FGT, packet seems to leave interface vpn but the actual packet process is seen in debuging traffic flow.

Setup below putty sessions on both FGT 1st and then initiate the traffic from local to remote
ON LOCAL:
Putty 1:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr 192.168.10.X
diag debug flow filter proto 1
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-

diag debug disable
diag debug reset

Putty 2:
get router info routing-table details 192.168.10.X
get router info routing-table details <src ip>


ON REMOTE
Putty 1:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr 10.20.X.X
diag debug flow filter proto 1
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-

diag debug disable
diag debug reset

Putty 2:
get router info routing-table details 192.168.1.X
get router info routing-table details <10.20.x.x>

Thanks

bob654
New Contributor

Hi ntaneja,

Thanks to the debug i found the mistake.
My ping tests was done from a VM with multiple NIC. Ping was received from the wrong interface (so wrong IP), and this subnet was not set in the IPSec tunnel.

I've tested from another VM with one NIC in the good vlan and it works fine

 

Thanks for your help !

Labels
Top Kudoed Authors