Hi,
I have to configure an IPSec VPN in a Fortigate 70d to bring it up with a remote Forticlient installed in a PC. The Fortigate is behind an ISP router with a public IP that is making NAT from public network to Fortigate, and Fortigate is making a second NAT to site's LAN.
I had read in the forum that It is necessary to open UDP ports 500 and 4500 in the router, I have made a NAT in the ISP's router, mapping these ports in the public IP to the same ports in the Fortigate's interface WAN but VPN is not working.
Is it necessary any other change to configure this VPN?
Thanks.
ESP(IP protocol 50) needs to be allowed to come through the NAT point as well. Do you see any packets arriving from the client at the 70C's port when you sniffed?
Hi,
Did you active the NAT-T on the VPN configuration ?
hklb wrote:Hi,
Did you active the NAT-T on the VPN configuration ?
Hi,
Yes, it is active.
toshiesumi wrote:ESP(IP protocol 50) needs to be allowed to come through the NAT point as well. Do you see any packets arriving from the client at the 70C's port when you sniffed?
How can I allow ESP? In reference to the sniffer, How can I check if any packet is arriving to 70C's port from WEB GUI?
It depends on your ISP's router. But I hope you would be able to do the same way you did for UDP(protocol 17). Otherwise you might need to forward everything coming to the public IP to your FG.
If you haven't done sniffing with your FG yet, get you familiarized with CLI and "diag sniffer packet <wan_interface> 'host <peer_publicIP>' ". You should see IPSec attempts for the client.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.