Hello everyone,
I’m currently experiencing some issues with our Site-to-Site VPN (fortiOS 7.0.12) that was previously functioning without any problems. It seems that the NAT IP pool is not properly translating the source address, which is causing issues during the Phase 2 negotiation.
As a result, the remote site is unable to establish a proper connection to exit the tunnel. I suspect that this misconfiguration might be affecting the traffic routing and connectivity.
If anyone has encountered a similar issue or has suggestions on how to troubleshoot this, I would greatly appreciate your input!
_______CONFIG SNIPPET_________
edit "H_IPSEC_192.168.110.11"
set uuid xxxxxxxxxx
set subnet 192.168.110.12 255.255.255.255
next
edit "IPSEC-192.168.110.12"
set phase1name "VPN-IPSEC"
set proposal aes256-md5
set dhgrp 5
set keylifeseconds 3600
set src-subnet 10.0.11.6 255.255.255.255
set dst-subnet 192.168.110.12 255.255.255.255
next
config firewall ippool
edit "IP-POOL-NAT"
set startip 10.0.11.0
set endip 10.0.11.254
next
end
edit 17
set name "To VPN-IPSEC"
set uuid xxxxxxx
set srcintf "port2"
set dstintf "VPN-IPSEC"
set action accept
set srcaddr "H_10.0.1.6"
set dstaddr "H_192.168.110.12"
set schedule "always"
set service "ALL"
set utm-status enable
set nat enable
set ippool enable
set
___________________________
FGTAZ-VM01 # diagnose debug reset
FGTAZ-VM01 # diagnose debug flow filter clear
FGTAZ-VM01 # diagnose debug flow filter addr 192.168.110.11
FGTAZ-VM01 # diagnose debug flow show function-name enable
show function name
FGTAZ-VM01 # diagnose debug flow trace start 100
FGTAZ-VM01 # diagnose debug enable
FGTAZ-VM01 # id=20085 trace_id=2 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.0.1.6:7390->192.168.110.11:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=7390, seq=814."
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-000000ed, original direction"
id=20085 trace_id=2 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=2 func=ip_session_run_all_tuple line=7156 msg="SNAT 10.0.1.6->10.0.11.17:7390"
id=20085 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN-IPSEC, tun_id=0.0.0.0"
id=20085 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN-IPSEC"
id=20085 trace_id=2 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"
Thank you in advance for your help!
Thank you for proving the debugs.
Could you provide more details on why do you need an IP Pool?
When you say IP Pool is not working, why do you think that IP pool is not working? What do you expect it when it works?
IP sec tunnel not connecting properly, what exactly is happening?
Additionally, please take a look at the following message: "No matching IPsec selector, drop"
Which suggests that your IP Pool subnet may be missing from the IPsec phase 2 selectors under VPN > IPsec Tunnels.
What part of it do you consider incorrect and why (config snippets needed)? Without context, this all looks normal:
I need the NAT IP pool due to a subnet overlap between the two sites. When I say the IP pool is not working, I mean that I expect the source IP 10.0.1.6 to be NATed to 10.0.11.6, but instead, it's being translated to 10.0.11.17. This incorrect translation is causing issues with the connection.
As for Phase 2, the reason it's not working is that it's configured for specific hosts—10.0.11.6/32 and 192.168.110.11/32—so it fails to match the Phase 2 selectors, as the NAT is not translating to the expected IP.
Created on 10-25-2024 07:51 AM Edited on 10-25-2024 07:52 AM
FortiGate IP pool doesn't have a setting to do strict A.B.C.x to P.Q.R.x mapping.
In other words if the pool is 10.0.11.0~20, you have no way to ensure that 10.0.1.6 will be statically SNATed to 10.0.11.6.
In order to do that, you'll need to use VIPs in reverse, there's a KB for it: https://community.fortinet.com/t5/FortiGate/Technical-Tip-VIP-range-for-SNAT-and-static-1-to-1-mappi...
Created on 10-25-2024 08:16 AM Edited on 10-25-2024 08:22 AM
i have the vip for the entire subnet
FGTAZ-VM01 (NAT_IP_LAN) # show
config firewall vip
edit "NAT_IP_LAN"
set uuid xxxxxxxxxxxxxxxxxxxxxxxxx
set extip 10.0.11.0-10.0.11.254
set mappedip "10.0.1.0-10.0.1.254"
set extintf "any"
next
end
also have the policy:
config firewall policy
edit 18
set name "Incoming VPN IPSEC"
set uuid xxxxxxxxxxxxxxxxxxxxxxxxxx
set srcintf "VPN-IPSEC"
set dstintf "port2"
set action accept
set srcaddr "H_192.168.110.11"
set dstaddr "NAT_IP_LAN"
set schedule "always"
set service "ALL"
set nat enable
set comments ""
next
end
this configuration worked since few days ago
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.