Hello all,
I am having a problem with one of my sites connecting into another site.
Site A is the hub in the hub-spoke.
Site B is a spoke (obviously).
Site B has a primary and a secondary ISP.
When Site B is routing over its primary ISP, there are no problems, and it connects into Site A.
When Site B is routing over its secondary ISP, it can not connect.
Site B is configured as follows:
Fortigate -> Router/DSL modem/wifi AP/switch in-a-box -> internet
The Fortigate is assigned a dynamic private address by DHCP, by the " modem box" (let' s say 192.168.1.10). The " modem box" has a public IP address assigned by DHCP from the ISP.
The IPsec packets have a source address of the interface, 192.168.1.10. This is what is most interesting.
How do I properly configure the Fortigate to handle this configuration?
I figured use NAT-T.
Would I need to do the following (that I' ve had to implement previously with double NAT):
1) within the VPN config, specify the Local Gateway IP to be the public IP [not possible in this config as the public IP is dynamically assigned]
2) add this IP as a secondary IP bound to the interface
What is curious is there' s very little information returned with debug ike -1, or even the fgt2eth packet captures. I just see two ISAKMP packets (targeting the NAT-T port, TCP port 4500).
Before I recommend that they spend more cash on getting a static address from their ISP, I' d like to see what others recommend in this situation.
Again:
1) The source address in the IPsec header is the 192.168.1.10.
2) The source address of the packet when received is the public address of modem.
= NAT traversal.
Thanks,
Matt
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]