Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CK173
New Contributor

VPN Passthrough over Fortigate 100D

Hi all,

 

I have a query here. Currently just migrated over to Fortigate 100D.

In our environment, there is a Zywall VPN firewall sitting behind the Fortigate firewall which has a VPN with one of our vendor for them to access for troubleshooting of some system.

The ZyWall VPN wan interface is using one of the local LAN IP address (172.16.x.x) and the LAN interface is another private 10.x.x.x segment for the system's. My problem here is that the IPsec tunnel between the Zywell and the vendor is not able to be established.

I suppose the Fortigate needs to allow VPN passthrough but am not sure how this can be done.

 

My current configuration done:

 

1) Create a one to one nat using one available external IP in the IP Pools.

2) In the Virtual IPs, mapped the external IP to the Zywall interal WAN IP.

3) Created one policy from LAN to WAN1 with source (the internal IP of the Zywall WAN IP), destination to all, 

    enable NAT with IP Pool Configuration using external IP created in the IP Pool. Services allowing all.

 

Is there any other area i need to be looking into? Really appreciate if anyone can offer me some advise.

 

Thanks in advance.

CKL

 

 

 

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

For 2) you've applied to another polity so that you have a pair of policies with the one for 3), right?

First thing I would recommend is sniff the vpn traffic between the source and destination at the 100D's LAN port, while the vendor sniff the same on their end to see if vpn packets are reaching on the other end with a proper source IP.

CK173
New Contributor

Hi,

 

Thanks for the quick reply. 

Yes, I have another policy for incoming traffic

Incoming interface - Wan1

Outgoing interface - LAN (Internal)

source - All

Destination - The nated external IP mapped to the internal 172.16.x.x IP 

Service - Allow all

 

I can see that there are some traffic coming in the incoming policy. But can't seem to see any related to vpn.

While the Outgoing policy LAN to WAN (Placed at the top of the sequence of rules) has no traffic at all. Seems like traffic no able to reply or go out from internal LAN to WAN

Will need to arrange the vendor to help sniff the traffic on their end and hopefully get some clues.

 

Thank you..

 

ede_pfau

VPN parameters?

In Main mode, the external WAN IP is part of the authentication process. That won't work in your case. Use Aggressive Mode, with peer ID.

Of course, you have to enable NAT-T (NAT traversal), on both sides.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ede_pfau

Actually,

the cleanest way to configure this is to move the VPN to your VPN gateway, which is the FGT now. Anything else is frickling IMHO.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors