Hello, I have a IPSEC tunnel which is showing UP but I cannot ping or access the needed website though the tunnel. I am connecting to a City VPN which uses a Checkpoint Firewall. They require me to Source Nat to protect them from subnet overlap. I have read a million manuals and spent days in forums, blogs and various tutorials to no avail. It appears the traffic is moving into the tunnel but I get no response.
I have configured source Nat from my public interface address. - I have other public IP's if they must be used. The interface IP seemed easiest. Also I am using Policy mode. I know route mode is better, but I cannot find any documentation on source NAT for that vpn type. My config is below. Any help might just keep the two hairs I have left in place.
** Note ** I would love to convert this into a route based VPN, but have no idea how to do Source Nat. VIPs don't make sense when the traffic is initiated from the Wan interface. I must be missing something.
All IPs have been cleansed.
Fortigate 100E Firmware v5.6.2 build1486 (GA
Remote Interface Gateway 178.19.115.184 Remote Subnet 178.19.196.128 255.255.255.128 Local Gateway 88.235.171.66 -This is my WAN Address- Local Subnet 192.168.200.0 255.255.255.0 - Internal Address ** Goal is to have all traffic from Local Subnet NAT to WAN Interface ** config firewall address edit "VPN-Metro_Local" set color 4 set allow-routing enable set subnet 192.168.200.0 255.255.255.0 next edit "VPN-Metro_Remote" set color 4 set allow-routing enable set subnet 178.19.196.128 255.255.255.128 next config vpn ipsec phase1 edit "Metro_Phase1" set interface "wan1" set keylife 28800 set peertype any set proposal aes256-sha1 set comments "Metro VPN Phase 1" set dhgrp 2 set remote-gw 178.19.15.84 set psksecret ENC next end config vpn ipsec phase2 edit "Metro_Phase2" set phase1name "Metro_Phase1" set use-natip disable set proposal aes256-sha1 set pfs disable set auto-negotiate enable set comments "Metro VPN Phase 2" set src-addr-type ip set src-start-ip 88.235.171.66 set dst-subnet 178.19.196.128 255.255.255.128 next end config firewall policy edit 15 set name "MetroRMS_Policy_200Net" set srcintf "lan" set dstintf "wan1" set srcaddr "VPN-Metro_Local" set dstaddr "VPN-Metro_Remote" set action ipsec set schedule "always" set service "ALL" set logtraffic all set inbound enable set natoutbound enable set vpntunnel "Metro_Phase1" next end id=20085 trace_id=777 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=1, 192.168.200.198:1->178.19.196.145:2048) from lan. type=8, code=0, id=1, seq=300." id=20085 trace_id=777 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-00068aef, original direction" id=20085 trace_id=777 func=npu_handle_session44 line=1079 msg="Trying to offloading session from lan to wan1, skb.npu_flag=00000400 ses.state=00050214 ses.npu_state=0x01000000" id=20085 trace_id=777 func=__ip_session_run_tuple line=3164 msg="SNAT 192.168.200.198->88.235.171.66:62464" id=20085 trace_id=777 func=ipsec_tunnel_output4 line=1211 msg="enter IPsec tunnel-MetroRMS_Phase1" id=20085 trace_id=777 func=esp_output4 line=891 msg="IPsec encrypt/auth" id=20085 trace_id=777 func=ipsec_output_finish line=525 msg="send to 88.235.171.65 via intf-wan1"
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I thought about that too. I will try that. I think if I use another public IP I can actually do this in route mode using a VIP.
Thanks for taking the time to respond. I will let you know how it works out.
Mike Cook Fortigate 100E Firmware v5.6.2 build1486 (GA
Ran into the same issue, change the VIP setting to listen on the single correct interface (eg: wan1) instead of "any"
Setting it to "all"broke my policies, the NAT'ing wasn't working as expected.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.