I'll start by saying I am new to Fortigate products.
I am trying to setup a new site to site VPN with NAT involved and I am new to the Fortigate firewall. Below is the information about the Fortigate and VPN tunnel. I looked for a step by step setup guide and have not found what I need to successfully setup a working tunnel with NAT. I'm setting up the Fortigate side and the client is setting up the remote peer side. Any help is appreciated. If there is more information needed please advise.
Fortigate model = Fortigate VM64 (in cloud) v 6.2.3 build 1066
We don't work for free but here's a basic cfg assume ikev1 , assuming your SNAT your lan behind 10.255.12.240
# 1st the end side that terminates the 2x public address
config vpn ipsec phase1-interface edit "spoke1-FGT" set type dynamic set interface "wan1" set ike-version 1 set peertype one set proposal aes256-sha1 set localid "hubvpn.example.com" set localid-type fqdn set dpd on-idle set dhgrp 2 set peerid "spokeFGT.example.com" set psksecret blahblahblbah. < - stick your PSK here nextend config vpn ipsec phase2-interface edit "spoke1-FGT-1" set phase1name "spoke1-FGT" set proposal aes256-sha1 set pfs disable set src-subnet 22.214.171.124/32 set dst-subnet 10.255.12.240/32 next edit "spoke1-FGT-2" set phase1name "spoke1-FGT" set proposal aes256-sha1 set pfs disable set src-subnet 126.96.36.199/32 set dst-subnet 10.255.12.240/32 nextend config router static edit 0 set dst 10.255.12.240 255.255.255.255 set device "spoke1-FGT" end # do not forget your policy tied to spoke1-FGT interface, I'm not wasting my time writing a policy example for you =====================other side FGT that has no public-address ====== config vpn ipsec phase1-interface edit "hub1-FGT" set type static set interface "wan1" set ike-version 1 set peertype one set proposal aes256-sha1 set localid "spokeFGT.example.com" set localid-type fqdn set dhgrp 2 set peerid "hubvpn.example.com" set remote-gw 188.8.131.52 set psksecret blahblahblbah. <- stick yoru PSK here set keepalive 12 <-----adjust KeepAlive as required nextend config vpn ipsec phase2-interface edit "hub1-FGT-1" set phase1name "hub1-FGT" set proposal aes256-sha1 set pfs disable set dst-subnet 184.108.40.206/32 set src-subnet 10.255.12.240/32 next edit "hub1-FGT-2" set phase1name "hub1-FGT" set proposal aes256-sha1 set pfs disable set dst-subnet 220.127.116.11/32 set src-subnet 10.255.12.240/32 nextend # now for policy you should create a ip nat pool for the to-be nat'd address of 10.255.12.240 config firewall ippool edit "10.255.12.240" set startip 10.255.12.240 set endip 10.255.12.240 nextend Now for ANY fwpolicy that you bind to that ipse-vinterface for ipsec,you use that ip nat pool, so the clients are SNAT behind that e.g config firewall policy edit 0 set srcintf "internal" set dstintf "hub1-FGT" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set ippool enable set poolname "10.255.12.240" nextend config router static edit 0 set dst 18.104.22.168 255.255.255.255 set device "hub1-FGT" end config router staic edit 0 set dst 22.214.171.124 255.255.255.255 set device "hub1-FGT" end You can add or restrict the policy address , I'm not going to waste my time writing out an example but the above would get you up. I charge 145 p/HR if you need consulting or services Ken Felix