I have a need for an IPsec tunnel between a remote company to a single vm server.
We have a Fortigate 300D connected to our vmware private cloud.
The local IP used needs to be a specific private IP as picked by the other company.
We have the ipsec tunnel up and running.
We need two ports open (12000 and 12001)
Our internal network is 10.0.0.0/24 The local ipsec IP is 10.209.251.56
I'm not really sure where to start. Any sugestions or hints would be greatly appriciated.
We have the tunnel working. I've created a Virtual IP with: Interface: the named IPSec tunnel Type: Static NAT External IP: 10.209.251.56 (the local ipsec ip address) Mapped IP Adrdess: 10.0.0.60 (the vm's private IP) There are ipv4 policies as created by the ipsec wizard. I've tried to add another one to allow the traffic through to the vm. Incoming Interface: named ipsec Outgoing interface: internal interface (10.0.0.0/24) Source: All (I'll lock down after initial test works) Destination: the named virtual ip: 10.209.251.56->10.0.0.60 Services: named ports 12000 and 12001 I've tried NAT on and off.
What resources should I read or study? Do you hav any ideas, solutions or hints?
Thank you
Mark
Either of those VIPs should work with NAT off on the policy. I would set VIP only for "ALL_ICMP" as well as the policy then run sniffer "diag sniffer packet any 'host SOURCE_IP_COMING_FROM' 4" at the FGT while pinging from the remote end. If you see it's coming in from the VPN and going out to the internal interface, the problem is on the VM side, not accepting the source IP. If you see coming in but not going out, you need to run "flow debug (diag debug flow)" to see why it's dropped by the FGT.
Arigato/Thank you.
I now have the tunnel working.
But I need to NAT the outbound traffic to a single specific private ip address.
I've tried
config vpn IPsec phase2-interface
edit "test tunnel"
set natip 10.209.251.56 255.255.255.255
next
end
but i'm getting a command parse error.
I don't see anywhere in the GUI to configure a NAT IP.
If anyone has a quick suggestion, I will happily accept. Else I'll close this ticket down as Toshi has helped me thought the first hurdle.
I was talking about the inbound policy w/ the VIP. That doesn't need NAT. Outbound policy of course need a (S)NAT to hide the VM's local IP.
But what you should be using for VIP and NAT is the interface IP of the VPN interface (same name with Phase1-Interface name). Not at the phase2-interface config.
config system interface
edit "PHASE1-NAME"
set ip 10.209.251.56 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip x.x.x.x 255.255.255.255
set interface WAN-INTERFACE
next
end
I have gotten NAT working as needed.
This is closed
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.