Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mlfrohlich
New Contributor

Created on ‎02-05-2025 02:57 PM Edited on ‎02-05-2025 03:14 PM

IPSec tunnel options - help!

Hi, I have a Fortigate 60F and need to create an IPSEC tunnel to a non-Fortigate device.   My problem though is that there is an existing router in my way.  I'm unable to remove the router and I can't get into the settings of it.   It's needed for the ISP's mesh wi-fi setup I am told.     

 

1. Can i place the Fortigate on the internel network and have it negotiate the tunnel?  I don't think it would get the traffic.

2. Put the Fortigate at the edge in transparent mode and establish the tunnel?   It doesn't have any L3 addressing so not sure that's possible.

3. Double NAT?  yikes

 

simply.jpg

Labels:
705
0 Kudos
5 REPLIES 5
dingjerry_FTNT
Staff
Staff

Created on ‎02-05-2025 08:59 PM

Hi @mlfrohlich ,

 

I guess that you can get DHCP IPs(192.168.1.0/24 network) from the router, correct?  

 

If so:

 

1) Put the FGT behind the router so WAN interface on FGT can receive DHCP IP or you assign one 192.168.1.x/24 IP if you know what router's internal IP (it must be 192.168.1.y/24 as well) is.

 

2) On FGT, create a default static route via WAN interface, Gateway is 192.168.1.y

 

3) On FGT internal interface, create a DHCP server, configure a different subnet than 192.168.1.0/24 so you can dispatch DHCP IPs to the internal network;

 

4) Create an IPSec VPN, and enable "Nat Traversal" in phase1 settings.  FGT has to initial to bring up the IPSec VPN since you do not have access to the router to configure port forwarding.  Otherwise, the remote peer can bring up the tunnel by accessing the router's external IP and the router can port forwarding to the FGT WAN interface for IPSec IKE traffic.

Regards,

Jerry
665
sw2090
SuperUser
SuperUser

Created on ‎02-05-2025 11:33 PM

the problem is imho that the fortigate tries to establish the ipsec but it cannot get any response from the peer because of the router. It would work if the FGT hat an interface connected to th same subnet the peer is in. But I guess that is an ipsec over the internet is it?

The problem is that PSec traffic uses Port 500/udp (and switches to 4500/udp if NAT-T is enabled) and this hits the router because if over internet the peer can only have the router wan ip as remote gw. If then there is no portforwarding on the router you won't get no ipsec communication.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
646
dingjerry_FTNT
Staff
Staff
In response to sw2090

Created on ‎02-06-2025 07:27 AM

Then you may consider put the FGT in front of the Router.

Regards,

Jerry
626
0 Kudos
mlfrohlich
New Contributor
In response to dingjerry_FTNT

Created on ‎02-06-2025 08:24 AM

Thanks for taking the time to respond.   If I did this I believe I'd run into a double NAT situation and I'm not sure I want to do that.

After checking with the ISP again, it appears they might be able to do some port forwarding for me, but the won't disable the routing function on the current box for me.    I've never setup an IPsec tunnel with the FW on the LAN.   if I have the ports forwarded to the FW, then I just set it up as normal or do i need to choose some specific type such as policy based?

617
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to mlfrohlich

Created on ‎02-06-2025 08:28 AM

Hi @mlfrohlich ,

 

As normal. In IPSec Phase1 settings, FGT uses WAN interface IP as the local gateway.  On Remote peer, pointing to the Public IP on the Router.

Regards,

Jerry
615
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.