Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Need to NAT Traffic leaving a vpn Tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 05-19-2011 10:20 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to NAT Traffic leaving a vpn Tunnel
I' m from Cisco Land (don' t laugh
) and have a fortigate that I am working with. I want all traffic going across a site to site vpn tunnel to be nat' d outbound to appear to be the inside IP address of the Fortigate.
VPN Tunnel is already active, but we have changed some internal IPs and figured it might be easier to do this than deal with the remote site' s IT folks.
Any assistance is appreciated.
) and have a fortigate that I am working with. I want all traffic going across a site to site vpn tunnel to be nat' d outbound to appear to be the inside IP address of the Fortigate.
VPN Tunnel is already active, but we have changed some internal IPs and figured it might be easier to do this than deal with the remote site' s IT folks.
Any assistance is appreciated.
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, for this example, the tunnel is called " Tun.xTESTx" . Make a backup of your config. Snip out the config sections for the firewall policy and the phase 1 & 2 definitions.
config vpn ipsec phase1
edit " Tun.xTESTx"
set interface " port2"
set nattraversal disable
set dhgrp 2
set proposal 3des-md5
set remote-gw xx.xx.xx.xx
set psksecret ENC blah-blah-blah (This is your encoded key, do not alter)
next
end
config vpn ipsec phase2
edit " Tun.xTESTx"
set keepalive enable
set phase1name " Tun.xTESTx"
set proposal 3des-md5
set src-addr-type ip
set dhgrp 2
set dst-subnet xx.xx.xx.0 255.255.255.0
set keylifeseconds 28800
set src-start-ip xx.xx.xx.xx
next
end
config firewall policy
edit 58
set srcintf " port1"
set dstintf " port2"
set srcaddr " Server"
set dstaddr " Remote.Sub.xTESTx"
set action ipsec
set schedule " always"
set service " ANY"
set logtraffic enable
set inbound enable
set outbound enable
set vpntunnel " Tun.xTESTx"
next
endEither from the CLI or the GUI, delete the policy(s) that are attached to the tunnel. (#58 here)
config firewall policy
delete 58
endEither from the CLI or the GUI, delete the phase2 and phase1 definitions for the tunnel in that order.
config vpn ipsec phase2
delete " Tun.xTESTx"
end
config vpn ipsec phase1
delete " Tun.xTESTx"
endNext, go into the snippets of the code (above) and make the following changes (in green:(
config vpn ipsec phase1-interface
edit " Int.xTESTx"
set interface " port2"
set nattraversal disable
set dhgrp 2
set proposal 3des-md5
set remote-gw xx.xx.xx.xx
set psksecret ENC blah-blah-blah
next
end
config vpn ipsec phase2-interface
edit " Int.xTESTx"
set keepalive enable
set phase1name " Int.xTESTx"
set proposal 3des-md5
set src-addr-type ip
set dhgrp 2
set dst-subnet xx.xx.xx.0 255.255.255.0
set keylifeseconds 28800
set src-start-ip xx.xx.xx.xx
next
end
config firewall policy
edit 58
set srcintf " port1"
set dstintf " Int.xTESTx"
set srcaddr " Server"
set dstaddr " Remote.Sub.xTESTx"
set action accept <-No longer " ipsec"
set schedule " always"
set service " ANY"
set logtraffic enable
set inbound enable <-REMOVE THIS
set outbound enable <-REMOVE THIS
set vpntunnel " Tun.xTESTx" <-REMOVE THIS
next
endGo to the CLI widget or open an SSH session and paste in the changed configuration sections. In addition to the above changes, you will need a policy from the outside in as well as a static route(s) to the remote subnet(s). With the code changes in place prior, all this cutting and pasting should take under five minutes. Also a side note: I changed the name from a prefix of " Tun." for policy based to " Int." for interface based. Just something I do. Also if the tunnel doesn' t come up right away, have the far end drop their connection so the tunnel can re-key.
Hope that works for you.
Good luck
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing from policy based VPN to interface-based VPN is quite easy:
- get the config (unencrypted)
- modify the text file
- restore this config (will reboot)
If you compare the VPN sections for the two tunnel modes the only difference is that it' s named " conf vpn ipsec phase1,2-interface" instead of just " conf vpn ipsec phase1,2" . So changing that takes only seconds.
The new VPN will show up as a network interface (with its phase1 name). So you define ordinary policies ' internal->tunnel' and ' tunnel->internal' to allow traffic to and from the tunnel.
And like for routing to any other remote subnet you create a static route for the remote subnet behind the tunnel, specifying the tunnel interface as destination interface (no gateway needed). In the CLI it' s " conf route static" etc. You can do that from the GUI as well even after restoring.
And in 1,2,3 you are done.
IN YOUR CASE don' t forget to check the NAT option in the policy ' internal->tunnel' ! That' s what this whole thread is about.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable
Created on 05-23-2011 05:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to both of you.
One more and hopefully finally question.
I have 1 phase 1, but multiple phase 2s for this config where exactly do insert the interface command?
:
config vpn ipsec phase1
edit " XXXXX"
set type static
set interface " wan1"
set local-gw 0.0.0.0
set dpd enable
set nattraversal enable
set dhgrp 1 5
set proposal des-md5 3des-sha1 aes128-md5
set keylife 86400
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set localid ' '
set localid-type auto
set remote-gw XXXXX
set dpd-retrycount 3
set dpd-retryinterval 5
set psksecret ENC XXXXX set keepalive 10
next
end
config vpn ipsec phase2
edit " XXXXXX-p2-1"
set auto-negotiate disable
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive disable
set keylife-type both
set pfs disable
set phase1name " XXXX"
set proposal des-md5 3des-sha1 aes128-sha1
set protocol 0
set replay disable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet XXXX 255.255.255.0
set keylifekbs 8192
set keylifeseconds 86400
set src-subnet XXXXX 255.255.255.0
next
edit " XXXX-p2-2"
set auto-negotiate disable
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive disable
set keylife-type both
set pfs disable
set phase1name " XXXXX"
set proposal des-md5 3des-sha1 aes128-sha1
set protocol 0
set replay disable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet XXX 255.255.255.0
set keylifekbs 8192
set keylifeseconds 86400
set src-subnet XXXXX 255.255.255.0
next
edit " XXXX-p2-3"
set auto-negotiate disable
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive disable
set keylife-type both
set pfs disable
set phase1name " XXXX"
set proposal des-md5 3des-sha1 aes128-null
set protocol 0
set replay disable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet XXXX 255.255.255.0
set keylifekbs 8192
set keylifeseconds 86400
set src-subnet XXXX 255.255.255.0
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config vpn ipsec phase2-interface
edit " XXXXXX-p2-1"
set auto-negotiate disable
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive disable
set keylife-type both
set pfs disable
set phase1name " XXXX"
set proposal des-md5 3des-sha1 aes128-sha1
set protocol 0
set replay disable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet XXXX 255.255.255.0
set keylifekbs 8192
set keylifeseconds 86400
set src-subnet XXXXX 255.255.255.0
next
edit " XXXX-p2-2"
set auto-negotiate disable
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive disable
set keylife-type both
set pfs disable
set phase1name " XXXXX"
set proposal des-md5 3des-sha1 aes128-sha1
set protocol 0
set replay disable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet XXX 255.255.255.0
set keylifekbs 8192
set keylifeseconds 86400
set src-subnet XXXXX 255.255.255.0
next
edit " XXXX-p2-3"
set auto-negotiate disable
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive disable
set keylife-type both
set pfs disable
set phase1name " XXXX"
set proposal des-md5 3des-sha1 aes128-null
set protocol 0
set replay disable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet XXXX 255.255.255.0
set keylifekbs 8192
set keylifeseconds 86400
set src-subnet XXXX 255.255.255.0
next
end
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,792 -
FortiClient
1,786 -
5.2
801 -
FortiManager
742 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
216 -
FortiWeb
210 -
5.0
196 -
FortiNAC
194 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
109 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
31 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1113 | |
| 759 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.