Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alkal
New Contributor

Created on ‎09-10-2024 11:08 PM Edited on ‎09-11-2024 03:51 AM

how to connect two fortigates with one nat via ipsec

Hello, I am looking for a solution to the problem, I have 2 fortigates connected via an Ipsec tunnel, I would like the second fortigate to have the same network as the first one but without nating.

the first fortigate on which I have the entire network is fortigate 100f, I would like to have several vlans from this fortigate on the second fortigate 60 which is in the second location and they are connected by ipsec

is this possible to do?

 Zrzut ekranu 2024-09-11 124818.png

 

Labels:
1495
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎09-11-2024 01:35 AM

Hi Alkal

Didn't try it before but VxLAN over IPsec could be your solution.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/821119/vxlan-over-ipsec-tunnel

Hope it helps.

AEK
AEK
1257
kmohan
Staff
Staff

Created on ‎09-11-2024 02:43 AM

To connect two Fortigates with a single NAT device using IPsec, you need to configure both Fortigates to utilize "NAT Traversal" in their IPsec settings, ensuring that the NAT device is properly configured to allow IPsec traffic, and then establish the IPsec tunnel between the Fortigates, specifying the public IP addresses provided by the NAT device as the remote gateways for each FortiGate; essentially, both Fortigates will communicate through the NAT device while using IPsec encryption for secure data transfer. 
 
 
Key points to remember: 
 
 
  • Enable NAT Traversal:
    On both Fortigates, within the IPsec tunnel configuration, make sure to enable the "NAT Traversal" option. This allows the IPsec packets to traverse the NAT device by encapsulating the IP addresses properly. 
     
     
  • Public IP Addresses:
    When configuring the IPsec tunnel, use the public IP addresses assigned by the NAT device as the remote gateway addresses for each FortiGate. 
     
     
  • Firewall Rules:
    Ensure that your firewall policies on both FortiGates and the NAT device allow the necessary IPsec traffic to pass through. 
     
     
Steps to configure: 
 
 
  1. 1. Configure NAT Device: 
     
     
    • Set up the NAT device to translate private IP addresses of your internal network to a single public IP address. 
       
       
    • Allow IPsec traffic (UDP port 500 and 4500) through the NAT device. 
       
       
  2. 2. Configure FortiGate 1: 
     
     
    • Go to "VPN" > "IPsec Tunnels" and create a new tunnel. 
       
       
    • Set the "Local Interface" to the interface connected to your internal network. 
       
       
    • Set the "Remote Gateway" to the public IP address provided by the NAT device. 
       
       
    • Enable "NAT Traversal". 
       
       
    • Configure Phase 1 and Phase 2 parameters like pre-shared key, encryption algorithms, and network address ranges. 
       
       
  3. 3. Configure FortiGate 2: 
     
     
    • Repeat the steps from FortiGate 1, ensuring the "Remote Gateway" is set to the same public IP address provided by the NAT device. 
       
       
Important Considerations: 
 
 
  • Compatibility:
    Verify that both FortiGate devices are running compatible firmware versions. 
     
     
  • Security Best Practices:
    Use strong encryption algorithms and authentication methods for the IPsec tunnel. 
     
     
  • Troubleshooting:
    If connections are not established, check the NAT configuration, firewall rules, and ensure both FortiGates have the same NAT Traversal settings. 
Karthick
1235
0 Kudos
Alkal
New Contributor
In response to kmohan

Created on ‎09-11-2024 03:52 AM

I don't understand how it would work I would have to see it on some example

1208
0 Kudos
Alkal
New Contributor

Created on ‎09-11-2024 03:36 AM Edited on ‎09-11-2024 03:49 AM

fortigate are in two separate branches, xvlna unfortunately not possible on fortigate 100f I don't have the possibility to change the current port configuration I was thinking more about transparent mode

Zrzut ekranu 2024-09-11 124818.png

 

 

 

1219
0 Kudos
AEK
SuperUser
SuperUser
In response to Alkal

Created on ‎09-11-2024 05:20 AM

I don't see how you can resolve it with transparent mode.

Furthermore if my memory is good there is no VPN in transparent mode.

If VxLAN is not available in 100F then I think your last option is to use DNAT on both sides.

AEK
AEK
1169
0 Kudos
Alkal
New Contributor
In response to AEK

Created on ‎09-11-2024 05:46 AM

in transparent mode on os 7.2.9 you can set up IPsec but there is no phase1-interface and phase2-interface, there is only phase1 and phase2

1159
0 Kudos
Alkal
New Contributor

Created on ‎09-11-2024 05:39 AM

my problem with XVlan is that I can't make a virtual switch on the fortigate 100 side where I have an aggregation and all vlans on this aggregation, these vlans already have other references that I can't remove

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/821119/vxlan-over-ipsec-tunnel

1162
0 Kudos
AEK
SuperUser
SuperUser
In response to Alkal

Created on ‎09-11-2024 05:56 AM

In that case does the interface migration wizard help?

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/885870/interface-migration-wizard

 

AEK
AEK
1156
0 Kudos
Alkal
New Contributor
In response to AEK

Created on ‎09-11-2024 06:15 AM

I can't migrate it because the aggregation where these vlans are is connected to the core switch and they are used in the network in the first location

1151
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.