Hello,
I'll start by saying I am new to Fortigate products.
I am trying to setup a new site to site VPN with NAT involved and I am new to the Fortigate firewall. Below is the information about the Fortigate and VPN tunnel. I looked for a step by step setup guide and have not found what I need to successfully setup a working tunnel with NAT. I'm setting up the Fortigate side and the client is setting up the remote peer side. Any help is appreciated. If there is more information needed please advise.
Fortigate model = Fortigate VM64 (in cloud) v 6.2.3 build 1066
Fortigate WAN = 10.10.2.x
Fortigate LAN = 10.10.0.X
Local IP server = 10.10.0.28
Remote peer = 123.78.140.250
Remote subnets = 123.78.140.29 and 123.78.140.30
NAT IP = 10.255.12.240
IKE Auth Method = pre share key
IKE Encryp Algorithm = AES256
IKE Hash Algorithm = SHA 1
IKE Diff-Hellman Group = 2
Phase 1 lifetime = 86400
IPSEC Encryp Algorithm = AES256
IPSEC Integrity Algorithm = SHA 1
Perfect Forward Secrecy = Disabled
Mode = Tunnel
IP Payload Compression = Disabled
Dead Peer Detection = On
Thank you in advance.
John
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
did you enabled nat-t?
We don't work for free but here's a basic cfg assume ikev1 , assuming your SNAT your lan behind 10.255.12.240
# 1st the end side that terminates the 2x public address
config vpn ipsec phase1-interface edit "spoke1-FGT" set type dynamic set interface "wan1" set ike-version 1 set peertype one set proposal aes256-sha1 set localid "hubvpn.example.com" set localid-type fqdn set dpd on-idle set dhgrp 2 set peerid "spokeFGT.example.com" set psksecret blahblahblbah. < - stick your PSK here nextend config vpn ipsec phase2-interface edit "spoke1-FGT-1" set phase1name "spoke1-FGT" set proposal aes256-sha1 set pfs disable set src-subnet 123.78.140.29/32 set dst-subnet 10.255.12.240/32 next edit "spoke1-FGT-2" set phase1name "spoke1-FGT" set proposal aes256-sha1 set pfs disable set src-subnet 123.78.140.30/32 set dst-subnet 10.255.12.240/32 nextend config router static edit 0 set dst 10.255.12.240 255.255.255.255 set device "spoke1-FGT" end # do not forget your policy tied to spoke1-FGT interface, I'm not wasting my time writing a policy example for you =====================other side FGT that has no public-address ====== config vpn ipsec phase1-interface edit "hub1-FGT" set type static set interface "wan1" set ike-version 1 set peertype one set proposal aes256-sha1 set localid "spokeFGT.example.com" set localid-type fqdn set dhgrp 2 set peerid "hubvpn.example.com" set remote-gw 123.78.140.250 set psksecret blahblahblbah. <- stick yoru PSK here set keepalive 12 <-----adjust KeepAlive as required nextend config vpn ipsec phase2-interface edit "hub1-FGT-1" set phase1name "hub1-FGT" set proposal aes256-sha1 set pfs disable set dst-subnet 123.78.140.29/32 set src-subnet 10.255.12.240/32 next edit "hub1-FGT-2" set phase1name "hub1-FGT" set proposal aes256-sha1 set pfs disable set dst-subnet 123.78.140.30/32 set src-subnet 10.255.12.240/32 nextend # now for policy you should create a ip nat pool for the to-be nat'd address of 10.255.12.240 config firewall ippool edit "10.255.12.240" set startip 10.255.12.240 set endip 10.255.12.240 nextend Now for ANY fwpolicy that you bind to that ipse-vinterface for ipsec,you use that ip nat pool, so the clients are SNAT behind that e.g config firewall policy edit 0 set srcintf "internal" set dstintf "hub1-FGT" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set ippool enable set poolname "10.255.12.240" nextend config router static edit 0 set dst 122.78.140.29 255.255.255.255 set device "hub1-FGT" end config router staic edit 0 set dst 123.78.140.30 255.255.255.255 set device "hub1-FGT" end You can add or restrict the policy address , I'm not going to waste my time writing out an example but the above would get you up. I charge 145 p/HR if you need consulting or services Ken Felix
PCNSE
NSE
StrongSwan
NAt-T is enabled by default for ISAKMP KAs
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.