Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KPS
New Contributor III

IPSEC - NAT all the traffic to VPN

Hi!

 

I am just trying to setup a new VPN, but cannot get it in a working condition...

 

Goal is: NAT all the traffic from internal to remote-net 172.16.1.0/24 to source-ip 192.168.99.1 and send it to VPN.

 

Tunnel is configured and up.

Phase 1 is running.

Phase 2 is configured as: 192.168.99.0/24 to 172.16.1.0/24

Firewall-Policy: Internal to VPN-Tunnel, ANY, ANY, Allow - with NAT

 

VPN-Tunnel comes up, but there seems to be no data sent into the tunnel.

 

Can you give me a hint, about what I am missing?

 

Thank you for your help!!

KPS

5 REPLIES 5
emnoc
Esteemed Contributor III

You are  masking all behind  the 192.168.99.0/24?   If yes ensure the  src/dst-subnets allows for   SRC 192.168.99.0/24 and the DST-SUBNET { at the remote site  is correct }

 

I didn't quite understand the following 

 Phase 2 is configured as: 192.168.99.0/24 to 172.16.1.0/24
 

 

Can you  copy out the vpn phase2 settings and post them here ?

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
KPS
New Contributor III

Hi!

 

Thank you for your answer!

 

<code>

config vpn ipsec phase2-interface

 (phase2-interface) # show config vpn ipsec phase2-interface edit "XXX-VPN" set phase1name "XXX-VPN" set proposal aes256-sha256 set dhgrp 14 set keepalive enable set keylifeseconds 3600 set src-subnet 192.168.99.0 255.255.255.255 set dst-subnet 172.16.1.0 255.255.255.0 next end

</code>

 

Interface-IP on XXX-VPN is: 192.168.99.1

Firewall-Policy is: Allow everything to XXX-VPN WITH NAT.

 

Thank you for your help!

emnoc
Esteemed Contributor III

is "set dst-subnet 172.16.1.0 255.255.255.0" at the destination ? And  are sure the internal lans are  being SNAT behind  192.168.99.1 ?

 

So you should have interface XXX-VPN, run a diag sniffer packet  XXX-VPN   "dst net 172.16.1" and do you see traffic?  Also have you  validate the routing for the destination network ?

 

  get router info routing all |  grep 172.16.1

 

 

ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
KPS
New Contributor III

emnoc wrote:

is "set dst-subnet 172.16.1.0 255.255.255.0" at the destination ? And  are sure the internal lans are  being SNAT behind  192.168.99.1 ?

 

I do not control the destination, but I think so. SNAT ist set in the firewall-policies.

 

 

emnoc wrote:

So you should have interface XXX-VPN, run a diag sniffer packet  XXX-VPN   "dst net 172.16.1" and do you see traffic?  Also have you  validate the routing for the destination network ?

  get router info routing all |  grep 172.16.1

 

Routing seems to be o.k. get router info shows the route to XXX-VPN

 

diad sniffer shows:

diag sniffer packet XXX-VPN
interfaces=[XXX-VPN]
filters=[none]
9.402354 192.268.99.1 -> 172.16.1.10: icmp: echo request

 

Do you have any idea, what the problem could be?

emnoc
Esteemed Contributor III

The diag vpn tunnel list  and review the  IPSEC-SAs and counters would be a start . You probably have one-way IPSEC-SAs and encrypt only and no decrypt on traffic sent to  192.168.99.1 ( You had 192.268.99.1  in your typed screen  btw )

 

I would double the  IPSEC-SA and ensure match SPI and correct proxy-ids

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors