Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tsalmark
New Contributor

IPsec with local IP different than subnet range.

I have a need for an IPsec tunnel between a remote company to a single vm server.

We have a Fortigate 300D connected to our vmware private cloud. 

The local IP used needs to be a specific private IP as picked by the other company.

We have the ipsec tunnel up and running.

We need two ports open (12000 and 12001)

Our internal network is 10.0.0.0/24 The local ipsec IP is 10.209.251.56

 

I'm not really sure where to start. Any sugestions or hints would be greatly appriciated.

 

We have the tunnel working. I've created a Virtual IP with: Interface: the named IPSec tunnel Type: Static NAT External IP: 10.209.251.56 (the local ipsec ip address) Mapped IP Adrdess: 10.0.0.60 (the vm's private IP) There are ipv4 policies as created by the ipsec wizard. I've tried to add another one to allow the traffic through to the vm. Incoming Interface: named ipsec Outgoing interface: internal interface (10.0.0.0/24) Source: All (I'll lock down after initial test works) Destination: the named virtual ip: 10.209.251.56->10.0.0.60 Services: named ports 12000 and 12001 I've tried NAT on and off.

 

What resources should I read or study? Do you hav any ideas, solutions or hints?

Thank you

Mark

 

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

Either of those VIPs should work with NAT off on the policy. I would set VIP only for "ALL_ICMP" as well as the policy then run sniffer "diag sniffer packet any 'host SOURCE_IP_COMING_FROM' 4" at the FGT while pinging from the remote end. If you see it's coming in from the VPN and going out to the internal interface, the problem is on the VM side, not accepting the source IP. If you see coming in but not going out, you need to run "flow debug (diag debug flow)" to see why it's dropped by the FGT.

tsalmark

Arigato/Thank you.

I now have the tunnel working.

 

But I need to NAT the outbound traffic to a single specific private ip address.

 

I've tried

config vpn IPsec phase2-interface

    edit "test tunnel"

        set natip 10.209.251.56 255.255.255.255

    next

end

 

but i'm getting a command parse error.

I don't see anywhere in the GUI to configure a NAT IP.

 

If anyone has a quick suggestion, I will happily accept. Else I'll close this ticket down as Toshi has helped me thought the first hurdle.

Toshi_Esumi
Esteemed Contributor III

I was talking about the inbound policy w/ the VIP. That doesn't need NAT. Outbound policy of course need a (S)NAT to hide the VM's local IP.

But what you should be using for VIP and NAT is the interface IP of the VPN interface (same name with Phase1-Interface name). Not at the phase2-interface config.

 

config system interface

   edit "PHASE1-NAME"

      set ip 10.209.251.56 255.255.255.255

      set allowaccess ping

      set type tunnel

      set remote-ip x.x.x.x 255.255.255.255

      set interface WAN-INTERFACE

   next

end

 

tsalmark
New Contributor

I have gotten NAT working as needed.

This is closed

 

Labels
Top Kudoed Authors