Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ujemvi
New Contributor

IPSec and VIP Object

Hi guys! I'm needing some assistance regarding a IPSec tunnel I'm trying to create with a external company. They need to get access to a server in my server farm. The server's IP address is 10.39.1.61. The client is going to connect from the IP 192.168.186.62. I don't want to show them my real IP address, so I want to use NAT to hide this. I've been trying to arrange a IPSec tunnel using a VIP object as my "dst address" value. I also tried to create an address object with the value of the external IP from an already created VIP. None of those cases has worked for me. My peer has an ASA 8.3(2), if that matters.

 I get to connect phase 1 completely. But I'm not seeing no attemps to establish phase 2.

Is it possible to create this VIP object and use it for hide my server?

Thanks in advance.

3 REPLIES 3
Dipen
New Contributor III

Good to hear that P1 is getting established

Regarding P2 in Quick Mode Selector what are you specifying (VIP or Actual IP)?

Also while defining VIP are you specifying External Interface as IPSEC Tunnel or physical Interface ?

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
ujemvi
New Contributor

Thanks for the help guys

Dipen wrote:

Good to hear that P1 is getting established

Regarding P2 in Quick Mode Selector what are you specifying (VIP or Actual IP)?

Also while defining VIP are you specifying External Interface as IPSEC Tunnel or physical Interface ?

I defined the external interface as "any". I've changed to the IPSec Tunnel now, assuming that that's what you mean. I have to wait for the client to test it.

 

emnoc
Esteemed Contributor III

Yes, just ensure the proxyid on the cisco and fgt are that of VIP & all correct  fwpolicies & routes exists. I'm assuming this is a route-based vpn?

 

The diag debug flow will provide you details on what's missing or maybe why it's not working.

 

Also make sure you DO NOT enable nat on the policies for that vip and  vpn tunnel.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors