Requirement:
Access multiple remote client hosts (not entire remote LAN) over VPN and presenting local clients as single IP of 61.x.x.x. This is to comply with security imposed by remote client's CISCO ASR. See pic below for requirement.
Following existing fortinet doco http://cookbook.fortinet.com/vpn-overlapping-subnets/ , I am only able to successfully established a routed VPN between the gateways 219.x.x.x <>185.x.x.x, using the "Site to Site - Cisco" wizard template then converted to custom VPN. Attempts to manually setting up the tunnel without converting from the template actually didn't work, despite matching all configuration!
My local LAN 192.168.0.x clients will need to access a number of specific remote hosts e.g 10.1.x.x and 10.2.x.x.
Below are the Policies modified from the fortigate autocreated ones:
edit 45 set srcintf "internal" set dstintf "VPN-Phase1" set srcaddr "Local LAN" set dstaddr "all" set action accept set schedule "always" set service "ALL" set natip 66.x.x.x 255.255.255.255 next edit 46 set srcintf "VPN-Phase1" set dstintf "internal" set srcaddr "all" set dstaddr "Local LAN" set action accept set schedule "always" set service "ALL" set nat enable set fixedport enable
Static routes to the remote hosts are also being set:
next edit 13 set dst 10.1.x.x 255.255.255.255 set device "VPN-Phase1" next edit 14 set dst 10.2.x.x 255.255.255.255 set device "VPN-Phase1"
At the moment, the VPN tunnel will come up with no problem, but no traffic will passthrough. Traceroute shows that it didn't go any further than the fortigate's local LAN gateway.
I have also read through an almost identical thread https://forum.fortinet.com/tm.aspx?m=104484 but the details were scarce so I am at a lost of what else may be missing.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
First of all, do you really need to set up VIPs on both sides like in the cookbook? If the other side is your customer, likely you don't want to let them get in your network. Besides your local subnet doesn't seem to be overlapping with the customer's.
Then those policies don't look right. If you need only one-way access, only thing you need is to enable NAT at your local FG on the outgoing policy (45). Then it automatically use the VPN interface IP that you must have as 61.x.x.x/255.255.255.255 as in your diagram. You might not even need the policy 46 for the opposite direction because one-way. Then it should work from local device toward the customer devices.
You still need to have static routes for customer subnets you need to reach on the FG toward the tunnel if the GUI hasn't created automatically yet. Check via CLI.
Then you need to run ike app debug while you try sending packets toward the customer device to see if phase2 comes up.
First of all, do you really need to set up VIPs on both sides like in the cookbook? If the other side is your customer, likely you don't want to let them get in your network. Besides your local subnet doesn't seem to be overlapping with the customer's.
Then those policies don't look right. If you need only one-way access, only thing you need is to enable NAT at your local FG on the outgoing policy (45). Then it automatically use the VPN interface IP that you must have as 61.x.x.x/255.255.255.255 as in your diagram. You might not even need the policy 46 for the opposite direction because one-way. Then it should work from local device toward the customer devices.
You still need to have static routes for customer subnets you need to reach on the FG toward the tunnel if the GUI hasn't created automatically yet. Check via CLI.
Then you need to run ike app debug while you try sending packets toward the customer device to see if phase2 comes up.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.