Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPsec tunnel with DNAT and SNAT

Hi all,


I'm working on a case where I have to replace a current IPsec tunnel with Fortigate HW, where the traffic should be NAT'ed in both directions (i've addad a network drawing for clarification).


- I have simplified WAN IP addressing for my lab

- SITE B is managed by another company

- Traffic to SITE B is directed to the public IP address (DNAT by firewall B), and only accepted from public range on SITE A (SNAT by firewall A)

- Traffic from SITE B is delivered on the public IP address of SITE A and should be NAT'ed to internal (DNAT)



- delivers a print job to, port 10000

- FortiGate in SITE A should DNAT the traffic to, port 9100


I am unable to get the DNAT into SITE A working. I've tried both Policy-based IPsec and Route-based IPsec.

- With Policy-based IPsec I am unable to select the IPsec tunnel on a policy with WAN as source and LAN as destination (IPsec selection list is empty), only the other way. I have referred to scenario 2 , although the VIP should not be wan-wan in my case but wan-lan.

- With Route-based IPsec I can't get it done to pass the traffic to and have the firewall take care of the VIP. I keep getting policy violations where the traffic is recognized as coming from WAN instead of the IPsec tunnel.


I was hoping that someone might help in this matter! Thanks in advance.


Esteemed Contributor III

1st you can do DNAT/SNAT in a ipsec tunnel


  • what is your configuration? and policy ?[/ul]


  • also why do you need to dnat/snat in. rfc1918 address space ? [/ul]


  • did you run "diag debug flow "[/ul]


    Hint: on phase2 when you do NAT make sure you allow the NAT'd address in the phase2 selectors and with route--vpn you have a route for the proper NAT'd address



    Ken Felix

  • PCNSE 



    PCNSE NSE StrongSwan
    Top Kudoed Authors