Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daj1985
New Contributor

Created on ‎08-29-2018 03:47 AM

IP SEC configuration behind a NAT device

Hi,

  Our scenario is :- 

Already has a IPsec connection between two offices , HQ and Site Office. The Site Office is behind a NAT device.

 

  HQ Fortigate ---------IP Sec-----NAT device-----Site Office Fortigate1

We need one more IPSec connection between the same offices. 

 ie. HQ Fortigate---IPSec----NAT device---Site Office Fortigate2.

 

 ie we use same NAT device for both Fortigate1 and Fortigate2.

 

So is it possible to use same LAN IP which is used in SiteOffice Fortigate1 , for Site Office Fortigate2 also. 

 

ie same LAN IPs in both. Is it possible.

 

Thanks

 

3221
0 Kudos
1 Solution
emnoc
Esteemed Contributor III
In response to Prab

Created on ‎09-05-2018 09:03 AM

I think you need to  look at peer-id per tunnel. Same I don't  quite understand the  question but you  can have 2 sites and all behind a  NAT-device just keep in mind this endpoint will need NAT-T and by using peerid you can define each tunnel to be unique to that peerid

 

Ken

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
1754
0 Kudos
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

Created on ‎08-29-2018 07:18 AM

Your problem is not the LAN address but the WAN address. It's the same for both tunnels, and there cannot be two IPsec tunnel between the same public addresses. So, IMHO, this will not work.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1725
0 Kudos
Prab
New Contributor

Created on ‎09-05-2018 08:54 AM

daj1985 wrote:

Hi,

  Our scenario is :- 

Already has a IPsec connection between two offices , HQ and Site Office. The Site Office is behind a NAT device.

 

  HQ Fortigate ---------IP Sec-----NAT device-----Site Office Fortigate1

We need one more IPSec connection between the same offices. 

 ie. HQ Fortigate---IPSec----NAT device---Site Office Fortigate2.

 

 ie we use same NAT device for both Fortigate1 and Fortigate2.

 

So is it possible to use same LAN IP which is used in SiteOffice Fortigate1 , for Site Office Fortigate2 also. 

 

ie same LAN IPs in both. Is it possible.

 

Thanks

 

Hi Daj,

 

Please don't feel offended but unfortunately I could not understand that why are you trying to have a second IPsec tunnel between the same remote subnet?

 

Thanks,

Prab

1725
0 Kudos
emnoc
Esteemed Contributor III
In response to Prab

Created on ‎09-05-2018 09:03 AM

I think you need to  look at peer-id per tunnel. Same I don't  quite understand the  question but you  can have 2 sites and all behind a  NAT-device just keep in mind this endpoint will need NAT-T and by using peerid you can define each tunnel to be unique to that peerid

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1755
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.