Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jaspervdb
New Contributor

IPsec VPN behavior regarding IP addresses

Hi all, 

I'm relatively inexperienced with firewalls and would value any guidance you can provide.

Here's the scenario:
We're connected to another company via an IPSEC VPN. The VPN was set up correctly and is operational. However, due to a recent change, we need to revise the policy.
We have a label printer connected to a PC. This PC must be able to communicate with a remote server through the VPN. Currently, the PC can reach the remote server via the VPN. The problem is that the VPN's other side is receiving our public IP instead of the source PC's IP.

Here are the actions I've taken:
I've created two objects: one for the PC and another for the target server.
I've established a new policy rule that permits traffic from the PC object (set to 'Any' during the testing phase) to pass through the VPN tunnel, with NAT disabled for this rule.
I've also set up the reverse policy rule in case the target server needs to initiate contact with the PC.

However, when we test the application for the printer, the logs show that the target server responds to our public IP rather than the source PC's IP.
I suspect I'm overlooking something or there's some aspect of VPN behavior I'm not grasping. I would greatly appreciate any assistance or insights.

Thank you for any help



2 REPLIES 2
fricci_FTNT
Staff
Staff

Hi @Jaspervdb ,

 

If the server is receiving the public IP, it means you are NATing that traffic somehow. Check the routing, where the IPsec phase2 traffic is being sent to (interface and next hop). Check also the priority order on the firewall policies and which firewall policy is actually being hit by the phase2 traffic.

Please open two Putty SSH sessions and run a packet sniffer (verbosity 4) in one shell and a debug flow in the second Putty shell. Debug flow will show you the traffic path and FortiGate's decisions based on what you have configurate.
Below you can find some useful article that explains also debug flow and packet sniffer:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/...


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Jaspervdb

After some more looking around on the internet I have found that the setup for the tunnel was with NAT, I disabled that and now it seems to go through with the right IP. My problem is not solved yet, but I am getting closer. Thank you for those links I will test everything abundantly.

Kind regards 
Jasper 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors