Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mikelar
New Contributor

Created on ‎01-30-2014 10:30 PM

Ipsec & Double NAT - Fortigate 60D

Hi, I' m currently trying to setup a Fortigate 60D with an IPSec tunnel to one of our external providers. They' ve given me the specific VPN configs, and require us to NAT all traffic to their network to a specific address. I also need to NAT their network behind a local address, so that all of our internal hosts will connect to a single IP in order to connect to this providers server over the tunnel. So far I' ve got the tunnel up, and traffic going accross it, but I' m having a lot of trouble with the NATing. I' ve also found that under the IPSec monitor in the web config, I can see 2 tunnels at all times under the same name, although only one is able to be brought up. Diag debug of VPN traffic also confirms that there is constant phase1 attempts that go unanswered, despite the tunnel showing as up. Desired Setup: - External Provider will only ever see traffic from our network originating from the NAT address they' ve supplied us (150.x.x.229). - Internal Users will only ever see the providers server as the NAT address we' ve setup (10.136.21.10). Current Status: - IPSec tunnel: up - Ping external server: successful from firewall - Ping internal NAT from firewall: successful, but it' s not going over the tunnel. Looks like it' s only pinging it' s own interface with a repyl time of 0.2ms. - Ping internal NAT from host: unsuccessful Current Config: IPSec: - Phase 1 (non-interface mode) - Phase 2 - Quick Mode Selector - Source: 150.x.x.229 (provider NAT) - Dest: 150.x.x.10 (provider server) Policy: (1) srcport: internal dstport: wan1 srdaddr: 150.x.x.10, 150.x.x.229 dstaddr: 150.x.x.10, 150.x.x.229 action: ipsec sched/service: all nat: disabled (2) srcport: internal dstport: wan1 srcaddr: any dstaddr: VIP (10.136.21.10 -> 150.x.x.229) action: accept sched/service: all Static Routes: 0.0.0.0 wan1 172.16.0.1 150.x.x.10 wan1 172.16.0.1 10.136.30.0 internal 10.136.30.20 <various other internal static routes> I' ve attempted to setup the IPSec tunnel in Interface mode, but for some reason I can' t get the tunnel up. All other settings are identical, only the Local-gateway is set to the external VPN peer (62.x.x.x). Also note that the ADSL modem should not be an issue, as the tunnel has been established. Any suggestions or advice would be very much aprpeciated, I' ve dug through multiple resources to try and get this working. This is actually going to be a secondary link, as we already have an identical setup in another office to the same provider (only with a different model firewall). Cheers, Mike
Preview file
29 KB
9955
0 Kudos
4 REPLIES 4
Sylvia
Contributor II

Created on ‎01-31-2014 09:22 AM

Hi Mike, if I have to NAT a lot within an IPSec tunnel I would always prefer having the IPSec tunnel in interface mode. NATting with policy-based mode is really limited. I understand that you have already tried this and the tunnel didn' t get up with interface mode. (I guess that the QM selectors didn' t match or that no firewall policy where configured - but you can troubleshoot the issue with diag deb ena, diag deb appl ike -1) Anyhow - I would try to solve the problem with the interface mode and then try to do the NAT stuff. Regards, Sylvia
2518
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎02-01-2014 12:40 AM

Agreed and I never heard of anybody attempting this and in a policy-based vpn. IIRC in the policy-based vpn the proxy-ids are normally defined by the traffic matching that policy. I would build a ip pool ( 150.x.x.229 ) apply it to a fwpolicy for the SNAT . Change the vpn as mention before to interface-mode and route-based and then give it a try. Sylvia hit the nail squarely on the head with using the diagnostic commands to help steer along the path. I would also include the diag debug flow as part of your diagnostic

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2518
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎02-01-2014 05:07 AM

Of course you would, Ken :-)) and right so! OP, for interface mode VPN, you need - phase1 and phase2 (in CLI: phase1-interface and phase2-interface) - a policy - a static route pointing the remote subnet to the tunnel interface (same name as the phase1)
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2518
0 Kudos
Mikelar
New Contributor

Created on ‎02-02-2014 05:58 PM

Thanks all for the replies, very much appreciated. The more I read up on NAT and IPSec tunnels on the fortigate, the more I was leaning towards interface mode. I' ve used the diag debug commands quite a lot with my troubleshooting all last week, so I think it will be more of a matter of figuring out why the tunnel wont come up in interface mode. I recall the debug output giving me something along the lines of ' No matching Policy' , despite the settings being nearly identical to my setup in policy mode. I think with some more detailed troubleshooting the tunnel could be established in interface mode, and the NAT and routing should be easier to implement. Unfortunately the fortigate was only loaned to us to test this setup, as we' ve had issues with other firewalls not supporting the required NAT functionality when attempting to implement this link. I no longer have access to the fortigate, but if the unit does support the features we need, we' ll likely be purchasing the same unit in the near future. Is anyone able to confirm that what I' m attempting to do here is possible with the Fortigate 60D ? Again thanks for all you' re responses, these forums look like a great resource. Cheers, Mike
2518
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.