Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

A service for WAN on a server behind 2 fortigates with IPSec VPN between them

Hello der Fortinet Community,


I am new to Fortigates and I have the case depicted on the attached picture: A server in LAN 2 (Interface L2) behind the Fortigate 2 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) which is beign addressed from WAN (Interface W) through the Fortigate 1 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) and IPSec VPN (Interfaces V1, V2, which are the VPN interfaces). The server runs a number of services that should be accessible from WAN. Lets take FTP as one example.


I have the following relevant policies of the Fortigate 1.


F1.I. WAN - V1: Source: all; Destination: Server (Virtual IP); Schedule: always; Service: FTP; Action: accept; NAT: enable. F1.II: V1 - WAN: Source: all; Destination: all; Schedule: always; Service: all; Action: accept; NAT: enable.


The Virtual IP object "Server" has the following configuration:

Interface: W1, Type: static NAT, Source Address Filter: disabled, External IP Address/Range: - Internal IP Address/Range: xxx.yyy.zzz.nnn - xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2) Port Forwarding: enabled, Protocol: TCP, External Service Port: 21 - 21 Internal Service Port: 21 - 21


Besides that, I have the following relevant policies on the Fortigate 2.


F2.I V2 - L2: Source: all; Destinastion: Server (Address); Schedule: always; Service: FTP, Action: accept; NAT: disable. F2.II L2 - V2: Nothing... but should I have an accepting policy for Server -> all?


The Address object "Server" has the following configuration:

Type: IP/Netmask, Subnet / IP Range: xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2), Interface: any, Show in Address List: yes.


When I try to connect via FTP from WAN using the address of the WAN-Interface, I see the number of packets increasing on F1.I, but nowhere else and, obviously, I cant establish a connection. Could you please help me with what and how I should change to allow the required connectivity?


New Contributor

I suppose, the settings of the VPN Tunnel may be also relevant, so here are they.


At Fortigate 1:


IP Version: IPv4

Remote Gateway: Dynamic DNS

Dynamic DNS:

Interface: W

Mode Config: disabled

NAT Traversal: enabled

Keepalive Frequency: 10

Dead Peer Detection: enabled


Method: Pre-Shared Key

Pre-shared Key: secret

IKE Version: 1

IKE Mode: Main (ID Protection)

Phase 1 Proposal

Algorithms: AES128-SHA256

Diffie-Hellman Groups: 14, 5


Type: Disabled

Phase 2 Selectors

Name: V1

Local Address: Subnet

Remote Address: Subnet

(here we have several pairs of Encryption and Authentication types, I omit them)

Enable Replay Detection: enabled

Enable Perfect Forward Secrecy (PFS): enabled

Diffie-Hellman Groups: 14, 5

Local Port: All

Remote Port: All

Protokoll: All

Autokey Keep Alive: disabled

Auto-negotiate: enabled

Key lifetime: 43200 seconds


Fortigate 2: everything is identical except:

Remote Gateway: Static IP Address.

IP Address: our static IP address of W

Interface: the local WAN-Interface of the Site where Fortinet 2 functions

Auto-negotiate: disabled.





After reading the following to articles


I've disabled NAT on the F1.I and I have also found the sniffer. Now I see that I'm receiving the packets on V2:


# diag sniff packet any "host xxx.yyy.zzz.nnn and tcp port 21" 4
filters=[host xxx.yyy.zzz.nnn and tcp port 21]
4.711693 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320
16.712715 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320


However, I don't see them leaving on L2.


I think I have found the problem: 

# diag debug flow trace start 100
id=20085 trace_id=1 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=6, aaa.bbb.ccc.ddd:56977->xxx.yyy.zzz.nnn:21) from V2. flag , seq 4154323049, ack 0, win 5840"
id=20085 trace_id=1 func=init_ip_session_common line=4645 msg="allocate a new session-000cebfd"
id=20085 trace_id=1 func=ip_route_input_slow line=1274 msg="reverse path check fail, drop"

This seems to be a related article:


Now I need to find out if I should disable the RPF or reconfigure the other Fortigate to NAT the packets.


I have change F1.I to NAT and then added the external IP Address of the Fortigate 1 to the routing table of the Fortigate 2 statically. Now I seem to have the connection. The problem seems to be solved now.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors