Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kyza
New Contributor

Site-to-site IPsec vpn tunnel behind a NAT router

Hi all,

 

I have very limited exposure and experience configuring firewalls and I'm completely new to using Fortigate products. However part of my new job requires working with and understanding Fortigate firewalls, setting up VPN's etc...so please excuse my ignorance!

 

I have a basic IPsec VPN question.

I need to configure a site-to-site IPsec vpn tunnel between two sites.

 

Site 1: Main company HQ site is using a Fortigate 60C. The Fortigate has a public ip on its WAN interface which is directly facing the internet.

 

Site 2: Branch site will be using a Fortigate 30D. This site is a rented office space which uses an internet connection from the landlord’s network that we have no control of. The Branch Fortigate WAN interface will be directly connected to a spare LAN interface on the landlord’s NAT router (a Netgear N150 Wireless MODEM Router DGN1000).

 

The purpose of the IPsec VPN is to allow staff at the branch site to be able to access a windows server on the HQ's lan network.

 

Is it possible to setup the IPsec tunnel even though the branch Fortigate sits behind a NAT router?

It is important that I set this up without making drastic changes (or no changes at all) to the landlord's network. Understandably the landlord is not keen on me making changes to his Netgear router to get the vpn tunnel between the two sites working.

 

I have looked through the Fortigate support documentation, but could not figure out how to do it, I'm sure it is straight forward as I'm guessing this scenario is not that uncommon. The closet I have come is this video, but it mentions dialup, and I'm not sure it is related to what I want. http://video.fortinet.com/video/102/site-to-site-ipsec-vpn-behind-firewall-nat-device.

 

I would appreciate any advice.

 

Many thanks,

 

Kyza

5 REPLIES 5
Sandeep_FTNT
Staff
Staff

Hi Kyza, 

    Here I understand that you dont have control on landlords router but yet router needs to allow VPN traffic to fortigate 30D so on router you need to configure port forwarding ( VPN ports UDP 500 and UDP 4500) to send VPN traffic to 30D Fortigate WAN interface. 

 

After completion of above then if landlord got static public IP on Netgear N150 then you configure site to site VPN in regular method according to video kb below 

 

http://video.fortinet.com...-setup-using-static-ip

 

If landlord got dynamic public IP on Netgear N150 then you can use the same video KB that you have posted.

ede_pfau
Esteemed Contributor III

Hi,

 

and welcome to the forums.

 

This isn't very complicated, and doesn't need to be. Your first idea with a Dialup VPN is correct. The branch FGT doesn't have a public IP address so this cannot be used for authentication. This means that a static site-to-site VPN is not possible. Instead, just let the branch FGT make the initial connection to the HQ FGT ("dial-up"), the NG router will NAT this traffic and allow the HQ's replies through back to the remote FGT.

 

Just make sure that you enable "NAT traversal" on both FGTs, in phase1 setup! This will force the FGTs to encapsulate ESP traffic in UDP traffic (which will be allowed out), using ports 500 and 4500.

 

Note that for the remote side initializing the VPN there is no need for any port forwarding on the intermediate router. For authentication, a "peer ID" will be used instead of the WAN IP. All of this is nicely documented, either in the FortiOS Cookbook or the video you mentioned.

 

In a way, a dialup site-to-site VPN is similar to a Forticlient (VPN software) dialup VPN from host to site. Both have at least one NAT router inbetween which is no problem at all.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Kyza
New Contributor

Thanks very much both, I'm going to be configuring this today, I will report back how I get on.

 

Cheers

Allwyn_Mascarenhas

ede_pfau wrote:

Hi,

 

and welcome to the forums.

 

This isn't very complicated, and doesn't need to be. Your first idea with a Dialup VPN is correct. The branch FGT doesn't have a public IP address so this cannot be used for authentication. This means that a static site-to-site VPN is not possible. Instead, just let the branch FGT make the initial connection to the HQ FGT ("dial-up"), the NG router will NAT this traffic and allow the HQ's replies through back to the remote FGT.

 

Just make sure that you enable "NAT traversal" on both FGTs, in phase1 setup! This will force the FGTs to encapsulate ESP traffic in UDP traffic (which will be allowed out), using ports 500 and 4500.

 

Note that for the remote side initializing the VPN there is no need for any port forwarding on the intermediate router. For authentication, a "peer ID" will be used instead of the WAN IP. All of this is nicely documented, either in the FortiOS Cookbook or the video you mentioned.

 

In a way, a dialup site-to-site VPN is similar to a Forticlient (VPN software) dialup VPN from host to site. Both have at least one NAT router inbetween which is no problem at all.

Can't we put netgear wan's static ip as remote IP on the FGT phase1 and forward ports to the FGT and do this as well?

emnoc
Esteemed Contributor III

Follow Ede advice and the suggestions of the cookbooks, this is a very trivial  operation to complete. Please be aware of NAT-T and any netgear issues with regards to  udp/500 and udp/4500. The connection will 1st attempt thru  udp/500 for IKE and once the  far-end finds our thru your IKE transaction that your a NAT'ed device, you will handshake off to udp/4500.

 

Other than any NAT-T issues and NAT translations of port 4500, the complete configuration is simple as 1 2 3 .....

 

FWIW: If you want to avoid any NAT-T issues, you could also look at IKEv2.

 

PCNSE 

NSE 

StrongSwan