Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rharms_tarc
New Contributor

Created on ‎03-19-2025 03:25 PM

VPN Traffic Only Works One Direction

Bus VPN DNAT Issue Diagram.png

 

For some quick background, I'm trying to establish IPsec VPN tunnels with a fleet of transit buses to allow access to some on-prem servers at our headquarters.  Each bus has a non-FortiGate cellular router using the same 192.168.x.0/24 internal subnet.  Equivalent devices on each bus use the same IP address from that subnet (Device A on every bus is 192.168.x.100).

 

To overcome the issue with 150 or so tunnels all using the same 192.168.x.0/24 remote subnet, someone at FortiNet suggested I use VRFs to isolate each of the tunnels, and that seems like a workable solution.  Traffic comes into the VRF from the IPsec tunnel and as it passes through the VRF it is SNATed to a unique 10.x network.  It can then flow from the VRF across a VDOM link into our HQ internal network to the servers it needs to reach.  Yes, doing it with VDOMs would potentially be better, but I can't afford the licensing nor the hardware it would take to do that.

 

I've got the IPsec tunnel up and stable and I've got the VRF and VDOM links configured.  Traffic that initiates on the remote end works fine.  I can initiate a ping from a device behind the remote router to one of the internal servers, and it makes it through the remote router->IPsec Tunnel->FortiGate to the server, and the reply packet makes the return trip as it should. 

 

The problem I'm facing now is I can't initiate traffic from the server on the internal network and have it make it to the device behind the remote router.  A trace on the FortiGate shows the traffic coming in on the LAN interface as it should and then being routed into the IPsec tunnel's VRF via the VDOM link, but that is where it stops.  From there, I need to DNAT for the 192.168.x.0/24 network and then have it route down the IPsec tunnel, but I can't seem to get that to work.

 

I've tried setting up DNAT with a VIP on the firewall rule which allows traffic from the VRF 9 end of the VDOM Link to the IPsec tunnel, but that doesn't work.  Running a trace, I see the packet come into the FortiGate, but it is never routed into the VRF.  Instead, the FortiGate goes ahead and does the DNAT to the 192.168.x.0/24 address, but, since the packet is still in VRF 0 instead of VRF 9 at that point, the FortiGate doesn't know how to route it and sends it back out of the LAN interface (we do have a 192.168.x.0 network on our internal network as well).  I need that DNAT to happen only after the packet has been routed across the VDOM link into VRF 9 so that the FortiGate knows how to route it properly.

 

We aren't currently using Central NAT, but I wonder if divorcing the NAT settings from the firewall policies would make this all work better.

    

   

71
0 Kudos
1 REPLY 1
rharms_tarc
New Contributor

Created on ‎03-19-2025 03:32 PM Edited on ‎03-19-2025 03:35 PM

 

config system interface
    edit "Coach-21xx-VPN"
        set vdom "root"
        set vrf 9
        set type tunnel
        set snmp-index 49
        set interface "port15"
    next
	edit "Coach21xxVR0"
        set vdom "root"
        set vrf 0
        set priority 1
        set dhcp-relay-interface-select-method auto
        set management-ip 0.0.0.0 0.0.0.0
        set ip 9.9.9.1 255.255.255.252
        set allowaccess ping https
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-send-redirect enable
        set icmp-accept-redirect enable
        set reachable-time 30000
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type vdom-link
        set netflow-sampler disable
        set sflow-sampler disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set egress-shaping-profile ''
        set ingress-shaping-profile ''
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set trunk disable
        set description "VRF9 to Main Network"
        set alias ''
        set security-mode none
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set measured-upstream-bandwidth 0
        set measured-downstream-bandwidth 0
        set bandwidth-measure-time 0
        set monitor-bandwidth disable
        set role undefined
        set snmp-index 55
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        set ip-managed-by-fortiipam disable
        set switch-controller-igmp-snooping-proxy disable
        set switch-controller-igmp-snooping-fast-leave disable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            set ip6-address ::/0
            unset ip6-allowaccess
            set icmp6-send-redirect enable
            set ra-send-mtu enable
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set dhcp-relay-request-all-server disable
        set dhcp-client-identifier ''
        set dhcp-renew-time 0
        set idle-timeout 0
        set disc-retry-timeout 1
        set padt-retry-timeout 1
        set dns-server-override enable
        set dns-server-protocol cleartext
        set mtu-override disable
        set wccp disable
    next 
    edit "Coach21xxVR1"
        set vdom "root"
        set vrf 9
        set priority 1
        set dhcp-relay-interface-select-method auto
        set management-ip 0.0.0.0 0.0.0.0
        set ip 9.9.9.2 255.255.255.252
        set allowaccess ping https
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-send-redirect enable
        set icmp-accept-redirect enable
        set reachable-time 30000
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type vdom-link
        set netflow-sampler disable
        set sflow-sampler disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set egress-shaping-profile ''
        set ingress-shaping-profile ''
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set trunk disable
        set description "VRF9 to Coach-21xx-VPN"
        set alias ''
        set security-mode none
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set measured-upstream-bandwidth 0
        set measured-downstream-bandwidth 0
        set bandwidth-measure-time 0
        set monitor-bandwidth disable
        set role undefined
        set snmp-index 56
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        set ip-managed-by-fortiipam disable
        set switch-controller-igmp-snooping-proxy disable
        set switch-controller-igmp-snooping-fast-leave disable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            set ip6-address ::/0
            unset ip6-allowaccess
            set icmp6-send-redirect enable
            set ra-send-mtu enable
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set dhcp-relay-request-all-server disable
        set dhcp-client-identifier ''
        set dhcp-renew-time 0
        set idle-timeout 0
        set disc-retry-timeout 1
        set padt-retry-timeout 1
        set dns-server-override enable
        set dns-server-protocol cleartext
        set mtu-override disable
        set wccp disable
    next 

config router static
    edit 19
        set dst 10.21.xx.0 255.255.255.0
        set distance 2
        set device "Coach-21xx-VPN"
    next
    edit 25
        set dst 192.168.x.0 255.255.255.0
        set device "Coach-21xx-VPN"
    next
	edit 26
        set dst 10.21.xx.0 255.255.255.0
        set gateway 9.9.9.2
        set device "Coach21xxVR0"
    next
    edit 27
        set dst 10.245.x.0 255.255.0.0
        set gateway 9.9.9.1
        set device "Coach21xxVR1"
    next

config firewall policy
    edit 137
        set name "From-Coach-21xx"
        set uuid b5b7d240-e800-51ef-4171-878aba8052ae
        set srcintf "Coach-21xx-VPN"
        set dstintf "Coach21xxVR1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "Coach-21xx-Inbound"
    next
	edit 138
        set name "To-Coach-21xx"
        set uuid c43e1d3a-e803-51ef-4b5a-b4ec4f5068bc
        set srcintf "LAN-ZONE"
        set dstintf "Coach21xxVR0"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
	edit 148
        set name "From-Coach-21xx-VRF"
        set uuid 72195398-0406-51f0-6438-fe6175ed02f4
        set srcintf "Coach21xxVR0"
        set dstintf "LAN-ZONE"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
    edit 149
        set name "Coach-21xx-Outbound"
        set uuid 92188eac-0406-51f0-3fbd-c53fc159eee8
        set srcintf "Coach21xxVR1"
        set dstintf "Coach-21xx-VPN"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
	
config firewall ippool
    edit "Coach-21xx-Inbound"
        set type fixed-port-range
        set startip 10.21.xx.1
        set endip 10.21.xx.254
        set source-startip 192.168.x.1
        set source-endip 192.168.x.254
        set arp-reply disable
    next
end	
	
edit "Coach-21xx-VPN"
        set type ddns
        set interface "port15"
        set ip-version 4
        set ike-version 2
        set local-gw 4.31.x.186
        set keylife 14400
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set net-device disable
        set passive-mode disable
        set exchange-interface-ip disable
        set aggregate-member disable
        set mode-cfg disable
        set proposal aes256-sha256
        set localid ''
        set localid-type auto
        set auto-negotiate enable
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-idle
        set forticlient-enforcement disable
        set comments ''
        set npu-offload enable
        set dhgrp 2
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set group-authentication disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set fgsp-sync disable
        set inbound-dscp-copy disable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal disable
        set fragmentation-mtu 1200
        set childless-ike disable
        set rekey enable
        set fec-egress disable
        set fec-ingress disable
        set network-overlay disable
        set remotegw-ddns "tarc-21xx.ridetarc.net"
        set monitor ''
        set add-gw-route disable
        set psksecret xxxxxx
        set dpd-retrycount 3
        set dpd-retryinterval 20
    next
	edit "Coach-21xx-VPN"
        set phase1name "Coach-21xx-VPN"
        set proposal aes256-sha256
        set pfs enable
        set ipv4-df disable
        set dhgrp 2
        set replay enable
        set keepalive disable
        set auto-negotiate disable
        set inbound-dscp-copy phase1
        set auto-discovery-sender phase1
        set auto-discovery-forwarder phase1
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments ''
        set initiator-ts-narrow disable
        set diffserv disable
        set protocol 0
        set src-addr-type subnet
        set src-port 0
        set dst-addr-type subnet
        set dst-port 0
        set keylifeseconds 14400
        set src-subnet 10.245.x.0 255.255.0.0
        set dst-subnet 192.168.x.0 255.255.255.0
    next

end

 

63
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.