Set up vpn interface behind NAT

Eugene_Belyayev · ‎06-11-2020

Hello there. I'm trying to set up a VPN tunnel with the interface behind NAT. Our main connection uses PPoE interface which is basically directly connected to FortiGate, it works fine. The backup connection though is behind ADSL modem, so it uses a private IP as a source, I made a port forwarding for 500 and 4500 from ADSL modem, but it's still down. I'd really appreciate any help, since i'm not a network engineer and i'm kinda new to the fortignet. Here are the diag commands:

diag vpn ike gateway

vd: root/0 name: BACKUP_Connection_btk version: 1 interface: wan1 5 addr: 192.168.100.2:500 -> 3*.**.***.***:500 created: 20s ago IKE SA: created 1/1 IPsec SA: created 0/0 id/spi: 22767 796fed2d927050f4/0000000000000000 direction: initiator status: connecting, state 3, started 20s ago

diag vpn tunnel list

name=BACKUP_Connection_btk ver=1 serial=5 192.168.100.2:0->3*.**.***.*** dst_mtu=0 bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0 proxyid_num=1 child_num=0 refcnt=9 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=MSQtoCER350_btk proto=0 sa=0 ref=1 serial=3 src: 0:10.100.0.0/255.255.0.0:0 dst: 0:10.31.0.0/255.255.0.0:0 0:10.0.19.0/255.255.255.0:0 0:10.1.19.0/255.255.255.0:0 0:10.198.0.0/255.255.0.0:0 0:10.55.1.0/255.255.255.0:0 0:10.31.18.0/255.255.255.0:0

Thank you! Eugene Belyayev IT Administration

sw2090 · ‎06-16-2020

Just looked into on of mine:

config vpn ipsec phase1-interface

    edit "tunnel pahse1 name"

        set interface "port15"

        set ike-version 2

        set keylife 3600

        set peertype any

        set proposal aes256-sha256

        set negotiate-timeout 15

        set dpd on-idle

        set npu-offload disable

        set dhgrp 14

        set nattraversal disable

        set remote-gw <ip of gw>

        set psksecret ENC <hash>

        set dpd-retryinterval 5

    next

end

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎06-16-2020

config vpn ipsec phase2-interface

    edit "phase name"

        set phase1name "phase1 name"

        set proposal aes256-sha256

        set dhgrp 14

        set keepalive enable

        set keylifeseconds 1800

    next

end

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎06-16-2020

On this one I am using IKE v2. It is not using mode config and it does not use pahse2 selectors (in gui you woud se 0.0.0.0/0.0.0.0 there) as I dont need them because my sttic routes plus policies specifiy what goes over the tunnels.

Both ends are behind external (Lancom) Routers with NAT and it even works without using NAT Traversal here :)

This works fine here.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎06-15-2020

Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.

Also with some ptp ipsec tunnel between Fortigates I ran into issues of ike creating "dead ends" if the other end is not yet available due to Phase1 autonegotiation preventing the vpn from coming up. IKE Debuggin helped here.

sorry for the multiplication of my post. Wasn't my intention but some unexpected malfunction of the forum software.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams