Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JMenefee
New Contributor

Site to site VPN with NAT - Step by Step guide

Hello,

 

I'll start by saying I am new to Fortigate products.  

 

I am trying to setup a new site to site VPN with NAT involved and I am new to the Fortigate firewall.  Below is the information about the Fortigate and VPN tunnel.  I looked for a step by step setup guide and have not found what I need to successfully setup a working tunnel with NAT.  I'm setting up the Fortigate side and the client is setting up the remote peer side.  Any help is appreciated.  If there is more information needed please advise.

 

Fortigate model = Fortigate VM64 (in cloud) v 6.2.3 build 1066

Fortigate WAN = 10.10.2.x

Fortigate LAN = 10.10.0.X

Local IP server = 10.10.0.28

 

Remote peer = 123.78.140.250

Remote subnets = 123.78.140.29 and 123.78.140.30

NAT IP = 10.255.12.240

 

IKE Auth Method = pre share key

IKE Encryp Algorithm = AES256

IKE Hash Algorithm = SHA 1

IKE Diff-Hellman Group = 2

Phase 1 lifetime = 86400

IPSEC Encryp Algorithm = AES256

IPSEC Integrity Algorithm = SHA 1

Perfect Forward Secrecy = Disabled

Mode = Tunnel

IP Payload Compression = Disabled

Dead Peer Detection = On

 

Thank you in advance.

John

3 REPLIES 3
FortiGab
New Contributor

did you enabled nat-t?

Living our FortiLife
emnoc
Esteemed Contributor III

We don't work for free but here's a basic cfg assume ikev1 , assuming your SNAT your lan behind 10.255.12.240

 

# 1st the end side that terminates the 2x public address

 

config vpn ipsec phase1-interface

    edit "spoke1-FGT"

        set type dynamic

        set interface "wan1"

        set ike-version 1

        set peertype one

        set proposal aes256-sha1

        set localid "hubvpn.example.com"

        set localid-type fqdn

        set dpd on-idle

        set dhgrp 2

        set peerid "spokeFGT.example.com"

        set psksecret  blahblahblbah.  < - stick your PSK here

    next

end

 

config vpn ipsec phase2-interface

    edit "spoke1-FGT-1"

        set phase1name "spoke1-FGT"

        set proposal aes256-sha1

        set pfs disable

        set src-subnet 123.78.140.29/32

        set dst-subnet 10.255.12.240/32

     next

 

   edit "spoke1-FGT-2"

        set phase1name "spoke1-FGT"

        set proposal aes256-sha1

        set pfs disable

        set src-subnet 123.78.140.30/32

        set dst-subnet 10.255.12.240/32

     next

end

 

config router static

   edit 0 

       set dst 10.255.12.240 255.255.255.255

        set device "spoke1-FGT"

   end

 

# do not forget your policy tied to spoke1-FGT interface, I'm not wasting my time writing a policy example for you

 

=====================other side FGT that has no public-address ======

 

 

config vpn ipsec phase1-interface

    edit "hub1-FGT"

        set type static

        set interface "wan1"

        set ike-version 1

        set peertype one

        set proposal aes256-sha1

        set localid "spokeFGT.example.com"

        set localid-type fqdn

        set dhgrp 2

        set peerid "hubvpn.example.com"  

        set remote-gw 123.78.140.250

        set psksecret  blahblahblbah.  <- stick yoru PSK here

        set keepalive 12 <-----adjust KeepAlive as required

    next

end

 

 

config vpn ipsec phase2-interface

    edit "hub1-FGT-1"

        set phase1name "hub1-FGT"

        set proposal aes256-sha1

        set pfs disable

        set dst-subnet 123.78.140.29/32

        set src-subnet 10.255.12.240/32

     next

 

   edit "hub1-FGT-2"

        set phase1name "hub1-FGT"

        set proposal aes256-sha1

        set pfs disable

        set dst-subnet 123.78.140.30/32

        set src-subnet 10.255.12.240/32

     next

end

 

# now for policy you should create a ip nat pool for the to-be nat'd address of 10.255.12.240

 

 

config firewall ippool

    edit "10.255.12.240"

        set startip 10.255.12.240

        set endip 10.255.12.240

    next

end

 

Now for ANY fwpolicy that you bind to that ipse-vinterface for ipsec,you use that ip nat pool, so the clients are SNAT behind that

 

 

e.g 

 

config firewall policy

    edit 0

        set srcintf "internal"

        set dstintf "hub1-FGT"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set nat enable

        set ippool enable

        set poolname "10.255.12.240"

    next

end

 

 

config router static 

   edit 0 

       set dst 122.78.140.29 255.255.255.255

        set device "hub1-FGT"

   end

 

config router staic 

   edit 0 

       set dst 123.78.140.30 255.255.255.255

        set device "hub1-FGT"

   end

 

You can add or restrict the policy address , I'm not going to waste my time writing out an example but the above would get you up.

 

I charge 145 p/HR if you need consulting or services

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

emnoc
Esteemed Contributor III

NAt-T is enabled by default for ISAKMP KAs

 

Ken Felix

PCNSE 

NSE 

StrongSwan