- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to connect two fortigates with one nat via ipsec
Hello, I am looking for a solution to the problem, I have 2 fortigates connected via an Ipsec tunnel, I would like the second fortigate to have the same network as the first one but without nating.
the first fortigate on which I have the entire network is fortigate 100f, I would like to have several vlans from this fortigate on the second fortigate 60 which is in the second location and they are connected by ipsec
is this possible to do?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Alkal
Didn't try it before but VxLAN over IPsec could be your solution.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/821119/vxlan-over-ipsec-tunnel
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
Enable NAT Traversal:On both Fortigates, within the IPsec tunnel configuration, make sure to enable the "NAT Traversal" option. This allows the IPsec packets to traverse the NAT device by encapsulating the IP addresses properly.
-
Public IP Addresses:When configuring the IPsec tunnel, use the public IP addresses assigned by the NAT device as the remote gateway addresses for each FortiGate.
-
Firewall Rules:Ensure that your firewall policies on both FortiGates and the NAT device allow the necessary IPsec traffic to pass through.
-
1. Configure NAT Device:
- Set up the NAT device to translate private IP addresses of your internal network to a single public IP address.
- Allow IPsec traffic (UDP port 500 and 4500) through the NAT device.
- Set up the NAT device to translate private IP addresses of your internal network to a single public IP address.
-
2. Configure FortiGate 1:
- Go to "VPN" > "IPsec Tunnels" and create a new tunnel.
- Set the "Local Interface" to the interface connected to your internal network.
- Set the "Remote Gateway" to the public IP address provided by the NAT device.
- Enable "NAT Traversal".
- Configure Phase 1 and Phase 2 parameters like pre-shared key, encryption algorithms, and network address ranges.
- Go to "VPN" > "IPsec Tunnels" and create a new tunnel.
-
3. Configure FortiGate 2:
- Repeat the steps from FortiGate 1, ensuring the "Remote Gateway" is set to the same public IP address provided by the NAT device.
- Repeat the steps from FortiGate 1, ensuring the "Remote Gateway" is set to the same public IP address provided by the NAT device.
-
Compatibility:Verify that both FortiGate devices are running compatible firmware versions.
-
Security Best Practices:Use strong encryption algorithms and authentication methods for the IPsec tunnel.
-
Troubleshooting:If connections are not established, check the NAT configuration, firewall rules, and ensure both FortiGates have the same NAT Traversal settings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand how it would work I would have to see it on some example
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fortigate are in two separate branches, xvlna unfortunately not possible on fortigate 100f I don't have the possibility to change the current port configuration I was thinking more about transparent mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see how you can resolve it with transparent mode.
Furthermore if my memory is good there is no VPN in transparent mode.
If VxLAN is not available in 100F then I think your last option is to use DNAT on both sides.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in transparent mode on os 7.2.9 you can set up IPsec but there is no phase1-interface and phase2-interface, there is only phase1 and phase2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my problem with XVlan is that I can't make a virtual switch on the fortigate 100 side where I have an aggregation and all vlans on this aggregation, these vlans already have other references that I can't remove
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/821119/vxlan-over-ipsec-tunnel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case does the interface migration wizard help?
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/885870/interface-migration-wizard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't migrate it because the aggregation where these vlans are is connected to the core switch and they are used in the network in the first location
