Hi,
I created a site-to-site VPN between two Fortigate 100D (site1) and 60E (site2), I have on each site a Technicolor TG799 v2 ADSL router. Both Fortigate are implemented in NAT / Route mode behind the ADSL routers.
I used IPSec wizard on both sites to create the VPN, and I chose the option "This site is behind NAT". The configuration is bine correct as I followed exactly the cookbook guides and the videos Fortinet.
Unfortunately the VPN does not work, the tunnel status on both site is still "Inactive", I went on IPSec Monitor >> right click >> Bring UP but still does not work. I have the impression that the two fortigate failed to establish the ipsec tunnel. Please help me if you see where then I have the problem?
Is what I need to create a port forword on ADSL routers for a specific port? If so what is the port used by IPSec vpn?
You find in attach the diagram of my network.
I created another VPN Client with SSL, I opened port 443 on my ADSL router, all working correctly for my SSLVPN client.
thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As you might have noticed in the wizard it assumes only one side is behind NAT. Then you were supposed to put the public IP on the opposite side in the second screen. Otherwise neither side knows where to send the packet to in order to establish the tunnel over the internet. I recommend putting at least one of ADSL modems in bride/modem mode instead of router mode so that the FG can have the public IP from the ISP without NAT. If it's not static IP on that side, you have to use FortiGuard DDNS or something that won't change to be configured on the other side.
Hi Esumi
Thank you for your answer,
your analysis is correct, but my client already had this configuration with cisco asa, and I can not convince him that Fortigate can not establish a vpn behind an ADSL modem like cisco asa :).
And from a technical point of view my architecture must work because on each site I chose the NAT option and in the next image I see the design of the modem side of this site and on the other website I Do the same thing, if not why do Fortinet put this option if it does not work? !!! By cons I configured with other client that they also have ADSL router but other models and it works properly, is it matter of compatibility with the router? perhaps !!
best regards
You need to configure port forward for UDP 500 and UDP 4500. I'm not sure exactly which type of setup is working in your case, because two NAT firewalls is not a good starting point - maybe give it a try with DDNS and static VPNs, if this doesn't work configure a Dialup Tunnel and give it another shot.
Use the following commands to debug the implementation:
Are packets correctly transmitted/received:
diag sniffer packet any 'port 500 or port 4500' 4
Why is the VPN not coming up:
diag debug app ike -1
diag debug enable
If you need further help please post your configuration and the output of those commands
Edit: Also enable NAT Traversal of course
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.