Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Steve_Fuller
New Contributor III

Natted VPN with tunnel across interface with

This a VPN tunnel to a datacenter with Ciscos with two Phase 2 tunnels.  Both are natted because of address conflicts.  Interface 2 is going to a Cisco 800 series.  Interface 2  60D-192.168.100.1<>ASA-192.168.100.2<>ASA-172.20.2.0/24. Traffic passed through the VPN until I replaced an ASA 505 with a 60D. Never attempted this, it seem like in should work.  I'll show the relevant sections and the trace I'm getting.  Be grateful for suggestions . .

 

Policy--Working Interface 1 to tunnel set srcintf "internal1" set dstintf "toDell" set srcaddr "dot1-add" set dstaddr "toDell_remote" set action accept set schedule "always" set service "ALL" set nat enable set srcintf "toDell" set dstintf "internal1" set srcaddr "all" set dstaddr "22nat" set action accept set schedule "always" set service "ALL"

 

Policy--Not working Interface 2 to Tunnel set srcintf "internal2" set dstintf "toDell" set srcaddr "all" set dstaddr "toDell_remote" set action accept set schedule "always" set service "ALL" set nat enable

 

set srcintf "toDell" set dstintf "internal2" set srcaddr "all" set dstaddr "23nat" set action accept set schedule "always" set service "ALL"

 

VIP

edit "22nat" set extip 172.22.0.1-172.22.0.254 set extintf "toDell" set mappedip "172.20.1.1-172.20.1.254" next edit "23nat" set extip 172.23.0.1-172.23.0.254 set extintf "toDell" set mappedip "172.20.2.1-172.20.2.254"

 

Phase 2 Working edit "toDell" set phase1name "toDell" set proposal 3des-md5 set pfs disable set replay disable set comments "VPN: toDell" set keylifeseconds 28800 set src-subnet 172.22.0.0 255.255.255.0 set dst-subnet 10.1.96.0 255.255.240.0 Phase 2 Not working edit "smtodell" set phase1name "toDell" set proposal 3des-md5 set pfs disable set replay disable set keylifeseconds 28800 set src-subnet 172.23.0.0 255.255.255.0 set dst-subnet 10.1.96.0 255.255.255.0

Trace Working

id=20085 trace_id=114 func=print_pkt_detail line=5293 msg="vd-root received a packet(proto=1, 172.20.1.12:2->10.1.100.11:2048) from internal1. type=8, code=0, id=2, seq=7561." id=20085 trace_id=114 func=resolve_ip_tuple_fast line=5368 msg="Find an existing session, id-0000e1df, original direction" id=20085 trace_id=114 func=npu_handle_session44 line=907 msg="Trying to offloading session from internal1 to toDell, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00002000" id=20085 trace_id=114 func=__ip_session_run_tuple line=3093 msg="SNAT 172.20.1.12->172.22.0.12:2" id=20085 trace_id=114 func=ipsecdev_hard_start_xmit line=144 msg="enter IPsec interface-toDell" id=20085 trace_id=114 func=esp_output4 line=1174 msg="IPsec encrypt/auth" id=20085 trace_id=114 func=ipsec_output_finish line=534 msg="send to 168.215.61.209 via intf-wan1"

 

Trace-Not working

id=20085 trace_id=851 func=print_pkt_detail line=4861 msg="vd-root received a packet(proto=1, 172.20.2.183:1->10.1.100.11:2048) from internal2. type=8, code=0, id=1, seq=1519." id=20085 trace_id=851 func=resolve_ip_tuple_fast line=4925 msg="Find an existing session, id-012972b2, original direction" id=20085 trace_id=851 func=npu_handle_session44 line=904 msg="Trying to offloading session from internal2 to toDell, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=851 func=__ip_session_run_tuple line=2823 msg="SNAT 172.20.2.183->172.23.0.183:1" id=20085 trace_id=851 func=ipsecdev_hard_start_xmit line=122 msg="enter IPsec interface-toDell" id=20085 trace_id=851 func=ipsec_common_output4 line=766 msg="No matching IPsec selector, drop"

 

 

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

It's saying "No matching IPsec selector, drop" because dst:10.1.100.11 is not inside of  "set dst-subnet 10.1.96.0 255.255.255.0".

Steve_Fuller

That has to be natted on the other end of the tunnel--the same address is working on the other phase 2.  

Toshi_Esumi

Working one has /20 for the mask, not /24.

     "set dst-subnet 10.1.96.0 255.255.240.0"

Steve_Fuller

Thank you so much.  I was assuming it was due to the 2nd interface--not a simple oversight.  

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors