Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AroundTheCorner
New Contributor

VPN to Checkpoint with encryption domain outside local network

Hello,

 

Being a network-admin-by-accident I'm facing the following issue:

 

I have to establish a VPN connection to a Bank. On their end they have a Checkpoint, me I'm enjoying the cosy world of Fortigate. They provided me with an encryption domain, which is not part of my local network. From what I understood with Checkpoint the encryption domain would be the remote network (from Checkpoint point of view).

 

I'll try to describe what the setup looks like:

 

192.168.1.1/24 (local network) -> 10.11.12.13/32 (encryption domain) -> 172.16.17.0/24 (remote network)

 

I successfully established the tunnel:

 

diagnose vpn tunnel list name VPN_CHECKPOINT
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN_CHECKPOINT ver=2 serial=9 1.2.3.4:0->4.3.2.1:0 dst_mtu=1500
bound_if=22 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=11 ilast=18 olast=27432 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_CHECKPOINT proto=0 sa=1 ref=2 serial=7 auto-negotiate
  src: 0:10.11.12.13:0
  dst: 0:172.16.17.0/255.255.255.0:0
  SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=867/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3301/3600
  dec: spi=897b04f1 esp=aes key=32 4bf69c3e0baf81058168d547b657cb8611ff97befd9c97d116610abe73b7c147
       ah=sha256 key=32 7eca988a785b9b0fbfce12088310eb2b75f8735d5b3e9eb5b6c0f5a4fcc62776
  enc: spi=7be52b29 esp=aes key=32 5b222fef11a9c32bfc3917d7f48487e0aed2133b5a235ba7b50283c8f32cc0c2
       ah=sha256 key=32 d5ed971452e8434548f71f51787a2858b3c03587f2166448ac6c4e7fe62c6c08
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=4.3.2.1 npu_lgwy=1.2.3.4 npu_selid=18 dec_npuid=0 enc_npuid=0
run_tally=1

 

Where I fail is setting up the rules/routing. How do I tell the Fortigate to route all traffic to 172.16.17.0/24 via this specific VPN and NAT'ting everything with IP 10.11.12.13?

 

Any help is appreciated.

 

Regards

1 Solution
emnoc
Esteemed Contributor III

easy as 1-2-3

 

1st you need a route pointed out the interface named in your phase1-interface

 

 

config router static 

  edit 0 

    set dst  172.16.17.0/24  

    set dev VPN_CHECKPOINT

end

 

next, I would setup a ip nat pool  and use that in your fwpolicy and a network-object

 

config firewall ippool

    edit "10.11.12.13"

         set startip 10.11.12.13

        set endip 10.11.12.13

    next

end

 

 

config firewall address

 edit 172.16.17.0_24

     set subnet 172.16.17.0/24  

end

 

and last a policy that allows traffic

 

config firewall policy

edit 0

        set srcintf "BLAHBLAH"

        set dstintf "VPN_CHECKPOINT"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "HTTP" "HTTPS". <----add what you need for services

        set nat enable

        set ipppol enable

        set poolname 10.11.12.13

    next

 

And monitor the policy on the firewalls

 

On the checkpoint they should see a inbound_SPI from your peer for 10.11.12.13

 

e.g from cli-expert

 

 

fw tab -t inbound_SPI -f -m | grep 10.11.12.13 fw tab -t vpn_routing -f -m | grep 10.11.12.13

 

or

 

 

vpn shell /show/tunnel/ike/peer all | grep -C 8 < public address or name of vpn-community >

vpn shell /show/tunnel/ipsec/peer all | grep -C 8 < public address or name of vpn-community >

 

My bill rate is 180 p/hr ;)

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
4 REPLIES 4
emnoc
Esteemed Contributor III

easy as 1-2-3

 

1st you need a route pointed out the interface named in your phase1-interface

 

 

config router static 

  edit 0 

    set dst  172.16.17.0/24  

    set dev VPN_CHECKPOINT

end

 

next, I would setup a ip nat pool  and use that in your fwpolicy and a network-object

 

config firewall ippool

    edit "10.11.12.13"

         set startip 10.11.12.13

        set endip 10.11.12.13

    next

end

 

 

config firewall address

 edit 172.16.17.0_24

     set subnet 172.16.17.0/24  

end

 

and last a policy that allows traffic

 

config firewall policy

edit 0

        set srcintf "BLAHBLAH"

        set dstintf "VPN_CHECKPOINT"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "HTTP" "HTTPS". <----add what you need for services

        set nat enable

        set ipppol enable

        set poolname 10.11.12.13

    next

 

And monitor the policy on the firewalls

 

On the checkpoint they should see a inbound_SPI from your peer for 10.11.12.13

 

e.g from cli-expert

 

 

fw tab -t inbound_SPI -f -m | grep 10.11.12.13 fw tab -t vpn_routing -f -m | grep 10.11.12.13

 

or

 

 

vpn shell /show/tunnel/ike/peer all | grep -C 8 < public address or name of vpn-community >

vpn shell /show/tunnel/ipsec/peer all | grep -C 8 < public address or name of vpn-community >

 

My bill rate is 180 p/hr ;)

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
AroundTheCorner

Ken,

 

You just made my day.

Worked like a charm!

Thanks a lot for your help and if ever I need paid help I surely will get back to you.

 

Enjoy your evening (for me it's time to go to bed, I'm in Europe ;))

 

Cheers!

Simon

emnoc
Esteemed Contributor III

good

 

Just remember to always use the post-NAT address in the phase2/vpn-communities 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
johnl
New Contributor

Hi.

 

U will need to create a IP pool whereby you will map yr external subnet to the yr local LAN.

Then, create a VIP to Nat one-to-many.

 

Then, update this VIP grp on the outgoing policy under NAT "use Dynamic IP Pool". then in the incoming Policy, change yr dest to IP Pool. Done.

Labels
Top Kudoed Authors