Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Fortigate 40F Policy Based S2S with Source NAT


i am trying to setup a VPN Site2Site connection, policy based with source NAT.


Fortigate 40F, v7.2.4

The target network is a customer network and cannot be configured.


I'm basically following the tutorial in this article (Scenario A)


The topology looks like this (where SiteB is Customer), and the NATting should only be done for the IP Address (in my case, cus_local_subnet_1)

Screenshot 2023-05-16 at 13.00.55.png

Despite the article instructions, i'm doing the configuration from the Web Interface.


The VPN Tunnel is up and running for Phase 1 and Phase 2:


Screenshot 2023-05-16 at 13.09.12.png

 The problem starts, when i want to configure the Firewall policy. If i check "IPSec" in the policy, i loose the option to setup the IP Pool for Nating.

Screenshot 2023-05-16 at 13.04.03.png


On the other hand, if i choose "ACCEPT", i can choose the Nating, but i cannot set IPSEC on the policy.


Screenshot 2023-05-16 at 13.06.08.png


The article does not state how to handle this scenario, with the CLI it seems it can be defined:


Screenshot 2023-05-16 at 13.20.04.png


How can i bind the IPPool and NAT by also using the IPSEC in the policy?



Contributor III

Hi Gateberg

  1. Try to do it with CLI. Many features available with CLI can't be done with GUI
  2. Article is old, it may be related to FortiOS 5.x. Many commands and methods change between 5.x and 7.2.x. So you can find the right method in FGT 7.2 admin guide

Is there a reason you are you using policy-based ipsec? Can you use route-based?


When using route-based you can just create a basic fw policy with SNAT applied for that one device.

New Contributor II

Route based is not possible, we cannot make changes on the customer site.


Maybe the issue starts earlier, as i cannot see any traffic on the tunnel:

Screenshot 2023-05-17 at 11.56.56.png


You may try to use Central NAT for such scenario which will separate NAT from Firewall rules. But this change has to be planned if you are already using NAT in the Firewall rules. 


AFAIK route-based vs policy-based is a local construct on the FGT. It's just two different ways of configuring the IPSec tunnel. The remote side does not care what you are using. It's just typically a much easier way to manage and configure the IPSec tunnel on the FGT.