Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IP-Pool-Nat one to one not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP-Pool-Nat one to one not working
Hello everyone,
I’m currently experiencing some issues with our Site-to-Site VPN (fortiOS 7.0.12) that was previously functioning without any problems. It seems that the NAT IP pool is not properly translating the source address, which is causing issues during the Phase 2 negotiation.
As a result, the remote site is unable to establish a proper connection to exit the tunnel. I suspect that this misconfiguration might be affecting the traffic routing and connectivity.
If anyone has encountered a similar issue or has suggestions on how to troubleshoot this, I would greatly appreciate your input!
_______CONFIG SNIPPET_________
edit "H_IPSEC_192.168.110.11"
set uuid xxxxxxxxxx
set subnet 192.168.110.12 255.255.255.255
next
edit "IPSEC-192.168.110.12"
set phase1name "VPN-IPSEC"
set proposal aes256-md5
set dhgrp 5
set keylifeseconds 3600
set src-subnet 10.0.11.6 255.255.255.255
set dst-subnet 192.168.110.12 255.255.255.255
next
config firewall ippool
edit "IP-POOL-NAT"
set startip 10.0.11.0
set endip 10.0.11.254
next
end
edit 17
set name "To VPN-IPSEC"
set uuid xxxxxxx
set srcintf "port2"
set dstintf "VPN-IPSEC"
set action accept
set srcaddr "H_10.0.1.6"
set dstaddr "H_192.168.110.12"
set schedule "always"
set service "ALL"
set utm-status enable
set nat enable
set ippool enable
set
___________________________
FGTAZ-VM01 # diagnose debug reset
FGTAZ-VM01 # diagnose debug flow filter clear
FGTAZ-VM01 # diagnose debug flow filter addr 192.168.110.11
FGTAZ-VM01 # diagnose debug flow show function-name enable
show function name
FGTAZ-VM01 # diagnose debug flow trace start 100
FGTAZ-VM01 # diagnose debug enable
FGTAZ-VM01 # id=20085 trace_id=2 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.0.1.6:7390->192.168.110.11:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=7390, seq=814."
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-000000ed, original direction"
id=20085 trace_id=2 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=2 func=ip_session_run_all_tuple line=7156 msg="SNAT 10.0.1.6->10.0.11.17:7390"
id=20085 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN-IPSEC, tun_id=0.0.0.0"
id=20085 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN-IPSEC"
id=20085 trace_id=2 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"
Thank you in advance for your help!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for proving the debugs.
Could you provide more details on why do you need an IP Pool?
When you say IP Pool is not working, why do you think that IP pool is not working? What do you expect it when it works?
IP sec tunnel not connecting properly, what exactly is happening?
Additionally, please take a look at the following message: "No matching IPsec selector, drop"
Which suggests that your IP Pool subnet may be missing from the IPsec phase 2 selectors under VPN > IPsec Tunnels.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What part of it do you consider incorrect and why (config snippets needed)? Without context, this all looks normal:
- ping from 10.0.1.6 to 192.168.110.11 received on port2 in root VDOM
- SNAT 10.0.1.6->10.0.11.17 (based on previously matched firewall policy)
- Send into IPsec tunnel "VPN-IPSEC"
- drop because the tunnel doesn't have a phase2 that matches the 10.0.11.17 -> 192.168.110.11 flow.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need the NAT IP pool due to a subnet overlap between the two sites. When I say the IP pool is not working, I mean that I expect the source IP 10.0.1.6 to be NATed to 10.0.11.6, but instead, it's being translated to 10.0.11.17. This incorrect translation is causing issues with the connection.
As for Phase 2, the reason it's not working is that it's configured for specific hosts—10.0.11.6/32 and 192.168.110.11/32—so it fails to match the Phase 2 selectors, as the NAT is not translating to the expected IP.
Created on 10-25-2024 07:51 AM Edited on 10-25-2024 07:52 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate IP pool doesn't have a setting to do strict A.B.C.x to P.Q.R.x mapping.
In other words if the pool is 10.0.11.0~20, you have no way to ensure that 10.0.1.6 will be statically SNATed to 10.0.11.6.
In order to do that, you'll need to use VIPs in reverse, there's a KB for it: https://community.fortinet.com/t5/FortiGate/Technical-Tip-VIP-range-for-SNAT-and-static-1-to-1-mappi...
[ corrections always welcome ]
Created on 10-25-2024 08:16 AM Edited on 10-25-2024 08:22 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have the vip for the entire subnet
FGTAZ-VM01 (NAT_IP_LAN) # show
config firewall vip
edit "NAT_IP_LAN"
set uuid xxxxxxxxxxxxxxxxxxxxxxxxx
set extip 10.0.11.0-10.0.11.254
set mappedip "10.0.1.0-10.0.1.254"
set extintf "any"
next
end
also have the policy:
config firewall policy
edit 18
set name "Incoming VPN IPSEC"
set uuid xxxxxxxxxxxxxxxxxxxxxxxxxx
set srcintf "VPN-IPSEC"
set dstintf "port2"
set action accept
set srcaddr "H_192.168.110.11"
set dstaddr "NAT_IP_LAN"
set schedule "always"
set service "ALL"
set nat enable
set comments ""
next
end
this configuration worked since few days ago
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,275 -
FortiClient
1,675 -
5.2
801 -
FortiManager
694 -
5.4
639 -
FortiAnalyzer
528 -
FortiSwitch
449 -
FortiAP
444 -
6.0
416 -
FortiClient EMS
385 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
198 -
5.0
196 -
FortiWeb
193 -
IPsec
170 -
FortiNAC
168 -
FortiGuard
132 -
6.4
128 -
SD-WAN
101 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
79 -
Wireless Controller
76 -
Customer Service
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
46 -
High Availability
45 -
ZTNA
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
40 -
Routing
37 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
32 -
Certificate
32 -
Interface
31 -
SSO
29 -
NAT
29 -
FortiConnect
28 -
Authentication
28 -
RADIUS
26 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Web profile
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Admin
12 -
Static route
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
Automation
11 -
System settings
11 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiDeceptor
6 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1613 | |
| 1052 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.