Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LouisTeys
New Contributor

Created on ‎06-15-2023 05:41 AM

FortiGate IPsec VPN as dialup VPN for NAT services

Hello everyone,

 

I am using Fortigate v6.4 and I am quite new to this so sorry if this is a bit of a dumb question.

I see a lot of tutorial that have the "IPsec VPN configuration wizard" but I do not have it because my company is runing the fortigate on policy mode.

 

So I am trying to setup a VPN so that anyone with forticlient VPN can access the Fortigate with a secure connection and the exit the network with the public address. I have configured the IPsec connections and policies and I have no problem opening the session as (If i add the policies to, i have access to the internal network).

 

The problem is that (I believe because of the NAT-T part of IPsec which is necessary) I cannot use properly the NAT service and i can't seem to get my source IP to change to the fortigate one's.

 

Does anyone have an idea on how I would be able to make it work ?

 

Thanks a lot

Labels:
2673
0 Kudos
8 REPLIES 8
Faiza_Emam_Delhi
Contributor II

Created on ‎06-17-2023 03:05 PM

you are trying to set up an IPsec VPN on your FortiGate device in order to allow remote clients to access the internal network via a secure connection. However, you are having trouble with NAT services and getting the source IP to change to the FortiGate's.

Here are some steps you can take to troubleshoot this issue:

1. Verify that NAT-T is enabled on both the FortiGate device and the FortiClient VPN client. NAT-T allows IPsec traffic to pass through NAT devices, which may be necessary if you are using a public IP address for your FortiGate device.

2. Check that the NAT policies are configured correctly on the FortiGate device. Make sure that the source and destination addresses are set correctly and that the NAT action is set to 'enable'.

3. Verify that the security policies are configured correctly on the FortiGate device to allow traffic from the VPN clients to the internal network. Make sure that the source and destination addresses are set correctly and that the action is set to 'accept'.

4. Check the logs on the FortiGate device for any errors or warnings related to NAT or IPsec. This may give you more information about what is causing the issue.

5. Consider using SSL VPN instead of IPsec VPN. SSL VPN allows for more flexibility with NAT and may be easier to set up for your use case.

By following these steps, you can further isolate the issue and determine the root cause of the problem

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
2598
0 Kudos
LouisTeys
New Contributor
In response to Faiza_Emam_Delhi

Created on ‎06-19-2023 07:30 AM

Hi, thank you for your answer.

It seems I wasn't clear enough sorry about that. I am trying to access internets with the fortigates IP address not the local subnet (although i do not think it changes a lot of things). I don't seem to have any problem with NAT-T or IPsec because I can mount the VPN tunnel without any problems, it is just that the adress translation doesn't seem to work. I suspect it is because of the NAT-T encapsulation. I might try with SSL VPN although I am not very familiar with it. Thank you

2539
0 Kudos
srajeswaran
Staff
Staff

Created on ‎06-17-2023 10:46 PM

Can you share a simple topoligy diagram with the IP details (masked) to get a better understanding of the challenge.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
2588
0 Kudos
LouisTeys
New Contributor
In response to srajeswaran

Created on ‎06-19-2023 07:27 AM

Hi, thank you for your answer. Here is a topology diagram of the problem

 

image.png

2541
0 Kudos
kvimaladevi
Staff
Staff

Created on ‎06-18-2023 04:14 AM

Hi LouisTeys,

 

As per my understanding, the tunnel should be up and you are able to access the internal network but you are facing issues in accessing the internet through the tunnel. 

The traffic should reach the Firewall with your IP and if you enable NAT in the policy, with source as the tunnel interface and destination as your WAN, you should be able to reach internet with the Fortigate Public IP.

 

Regards,

Vimala

2560
0 Kudos
LouisTeys
New Contributor
In response to kvimaladevi

Created on ‎06-19-2023 07:32 AM

Hi, thank you for your answer. You are absolutly correct, my VPN session is up, I can access local subnet and internet without any problems but, even though i did setup a firewall policy (from VPN to WAN - NAT Enabled) it doesn't seem to have any effect on the source IP adress because the return packets doesn't pass through the fortigate but instead directly goes to my client 

2538
0 Kudos
kvimaladevi
Staff
Staff

Created on ‎06-19-2023 08:56 PM

Hi LouisTeys,

 

Thank you for the update. Could you run the below command and initiate traffic to internet from the client machine to see if the traffic reaches the firewall.

 

diag sniffer packet any 'host x.x.x.x and icmp' 4 0 a     ---->replace x.x.x.x with the client IP and initiate ping to any public IP

You can stop the debug using the command ctrl+c

Regards,
Vimala

2508
0 Kudos
LouisTeys
New Contributor
In response to kvimaladevi

Created on ‎06-20-2023 06:55 AM

I did run the command and here is the result. 

The weird thing is that it seems to work but when i try to connect to a website such as WhatIsMYIpAddress, i still get the original public IP (the one from the client and not fortigate's one)

image.png

2495
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.