Hello there. I'm trying to set up a VPN tunnel with the interface behind NAT. Our main connection uses PPoE interface which is basically directly connected to FortiGate, it works fine. The backup connection though is behind ADSL modem, so it uses a private IP as a source, I made a port forwarding for 500 and 4500 from ADSL modem, but it's still down. I'd really appreciate any help, since i'm not a network engineer and i'm kinda new to the fortignet. Here are the diag commands:
diag vpn ike gateway
vd: root/0 name: BACKUP_Connection_btk version: 1 interface: wan1 5 addr: 192.168.100.2:500 -> 3*.**.***.***:500 created: 20s ago IKE SA: created 1/1 IPsec SA: created 0/0 id/spi: 22767 796fed2d927050f4/0000000000000000 direction: initiator status: connecting, state 3, started 20s ago
diag vpn tunnel list
name=BACKUP_Connection_btk ver=1 serial=5 192.168.100.2:0->3*.**.***.*** dst_mtu=0 bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0 proxyid_num=1 child_num=0 refcnt=9 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=MSQtoCER350_btk proto=0 sa=0 ref=1 serial=3 src: 0:10.100.0.0/255.255.0.0:0 dst: 0:10.31.0.0/255.255.0.0:0 0:10.0.19.0/255.255.255.0:0 0:10.1.19.0/255.255.255.0:0 0:10.198.0.0/255.255.0.0:0 0:10.55.1.0/255.255.255.0:0 0:10.31.18.0/255.255.255.0:0
Thank you! Eugene Belyayev IT Administration
Just looked into on of mine:
config vpn ipsec phase1-interface
edit "tunnel pahse1 name"
set interface "port15"
set ike-version 2
set keylife 3600
set peertype any
set proposal aes256-sha256
set negotiate-timeout 15
set dpd on-idle
set npu-offload disable
set dhgrp 14
set nattraversal disable
set remote-gw <ip of gw>
set psksecret ENC <hash>
set dpd-retryinterval 5
next
end
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
config vpn ipsec phase2-interface
edit "phase name"
set phase1name "phase1 name"
set proposal aes256-sha256
set dhgrp 14
set keepalive enable
set keylifeseconds 1800
next
end
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
On this one I am using IKE v2. It is not using mode config and it does not use pahse2 selectors (in gui you woud se 0.0.0.0/0.0.0.0 there) as I dont need them because my sttic routes plus policies specifiy what goes over the tunnels.
Both ends are behind external (Lancom) Routers with NAT and it even works without using NAT Traversal here :)
This works fine here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
Also with some ptp ipsec tunnel between Fortigates I ran into issues of ike creating "dead ends" if the other end is not yet available due to Phase1 autonegotiation preventing the vpn from coming up. IKE Debuggin helped here.
sorry for the multiplication of my post. Wasn't my intention but some unexpected malfunction of the forum software.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.