Hello,
Tried to make IPSEC tunnel between my fortigate and server build on OPNsense.
My fortigate is 100F behind SNAT. SNAT is made by Virtual IP and forward connection form external IP to IP on loopback interface. Don't have any interface directly connected to internet so have to use Virtual IP as SNAT.
Opnsense is also behind SNAT 1:1 .
Something like :
OPNsense 10.0.0.1/21<-->SNAT<-->95.100.100.1<-->Internet>95.100.200.1<-->SNAT on Virtual IP>10.200.0.1/32 on loopback<-->Local net
IPs are for show purposes only.
I've made successfully tunnel , phase1 and phase 2 is on green from both side.
Problem is that that Fortigate receives incoming packets from OPNsense but reject it as it comes from unknown SPI. In log details I have correct local IP, correct remote IP and the most important correct SPI number from both sides.
I'v tried IKE v1 and v2 , with NAT nad without NAT and many other options.
Nope, all the time Fortigate even if tunnel from both sides stay UP, he says that packet incoming from that tunnel is from unknown. Don't know how to check if Forti correctly see for example remote ID (this ID behind SNAT) of existing tunnel, maybe he see only IP from internet side, I don't know :(
From other hand why Forti allowed to make tunnel between sides , only for rejecting packets now?
I'm clueless what I can check more I hope that someone can show me some directions?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So here come solution.
Forti has big problem if you attach IPSEC interface to loopback interface.
Something is wrong with recognition loopback interface as end of SNAT in IPSEC tunnel.
In the end tunnel can be set up but Forti will reject ESP packets as it comes from unknown source.
So the solution is to cheat Forti and set ip address of loopback interface as the same as ip of external interface in the IPSEC tunnel. Than Forti doesn't see different ip on the end of SNAT and accept packet from tunnel.
The solution was find on Palo Alto forum as they had he similar problem, but they are a bit more active.
Hello Tomka,
Thank you for posting to Fortinet Community Forums. We thank you for your patience. As per your query, yes, you can set the remote ID on the IPSEC configuration on your Forti device. However, the remote ID on Fortigate config is called peer ID.
Please check the link mentioned below which helps in configuring peer ID.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN-bet...
# config vpn ipsec phase1-interface
edit <phase1_name>
set mode aggressive
set type dynamic
set peertype one
set peerid "ftnt-peer"
end
Please let us know if this helps
Thanks
Hello,
checked all day and still can't find why Forti reject correct packets.
It drives me crazy :)
Hi,
maybe the problem is due to a lack of setting remote ID on Forti. I only see Local ID in IPSEC settings. Is it possible to set Remote ID on IPSEC ?
Hello Tomka,
Thank you for posting to Fortinet Community Forums. We thank you for your patience. As per your query, yes, you can set the remote ID on the IPSEC configuration on your Forti device. However, the remote ID on Fortigate config is called peer ID.
Please check the link mentioned below which helps in configuring peer ID.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN-bet...
# config vpn ipsec phase1-interface
edit <phase1_name>
set mode aggressive
set type dynamic
set peertype one
set peerid "ftnt-peer"
end
Please let us know if this helps
Thanks
So here come solution.
Forti has big problem if you attach IPSEC interface to loopback interface.
Something is wrong with recognition loopback interface as end of SNAT in IPSEC tunnel.
In the end tunnel can be set up but Forti will reject ESP packets as it comes from unknown source.
So the solution is to cheat Forti and set ip address of loopback interface as the same as ip of external interface in the IPSEC tunnel. Than Forti doesn't see different ip on the end of SNAT and accept packet from tunnel.
The solution was find on Palo Alto forum as they had he similar problem, but they are a bit more active.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.