Hot!IPsec with local IP different than subnet range.

Author
tsalmark
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/03 13:23:17
  • Status: offline
2019/11/03 13:30:33 (permalink)
0

IPsec with local IP different than subnet range.

I have a need for an IPsec tunnel between a remote company to a single vm server.
We have a Fortigate 300D connected to our vmware private cloud. 
The local IP used needs to be a specific private IP as picked by the other company.
We have the ipsec tunnel up and running.
We need two ports open (12000 and 12001)
Our internal network is 10.0.0.0/24
The local ipsec IP is 10.209.251.56
 
I'm not really sure where to start. Any sugestions or hints would be greatly appriciated.
 
We have the tunnel working.
I've created a Virtual IP with:
Interface: the named IPSec tunnel
Type: Static NAT
External IP: 10.209.251.56 (the local ipsec ip address)
Mapped IP Adrdess: 10.0.0.60 (the vm's private IP)
There are ipv4 policies as created by the ipsec wizard.
I've tried to add another one to allow the traffic through to the vm.
Incoming Interface: named ipsec
Outgoing interface: internal interface (10.0.0.0/24)
Source: All (I'll lock down after initial test works)
Destination: the named virtual ip: 10.209.251.56->10.0.0.60
Services: named ports 12000 and 12001
I've tried NAT on and off.
 
What resources should I read or study? Do you hav any ideas, solutions or hints?
Thank you
Mark
 
#1
Toshi Esumi
Expert Member
  • Total Posts : 1748
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: online
Re: IPsec with local IP different than subnet range. 2019/11/03 22:23:29 (permalink)
0
Either of those VIPs should work with NAT off on the policy. I would set VIP only for "ALL_ICMP" as well as the policy then run sniffer "diag sniffer packet any 'host SOURCE_IP_COMING_FROM' 4" at the FGT while pinging from the remote end. If you see it's coming in from the VPN and going out to the internal interface, the problem is on the VM side, not accepting the source IP. If you see coming in but not going out, you need to run "flow debug (diag debug flow)" to see why it's dropped by the FGT.
#2
tsalmark
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/03 13:23:17
  • Status: offline
Re: IPsec with local IP different than subnet range. 2019/11/04 13:27:20 (permalink)
0
Arigato/Thank you.
I now have the tunnel working.
 
But I need to NAT the outbound traffic to a single specific private ip address.
 
I've tried
config vpn IPsec phase2-interface
    edit "test tunnel"
        set natip 10.209.251.56 255.255.255.255
    next
end
 
but i'm getting a command parse error.
I don't see anywhere in the GUI to configure a NAT IP.
 
If anyone has a quick suggestion, I will happily accept. Else I'll close this ticket down as Toshi has helped me thought the first hurdle.
#3
Toshi Esumi
Expert Member
  • Total Posts : 1748
  • Scores: 143
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: online
Re: IPsec with local IP different than subnet range. 2019/11/04 13:56:57 (permalink)
0
I was talking about the inbound policy w/ the VIP. That doesn't need NAT. Outbound policy of course need a (S)NAT to hide the VM's local IP.
But what you should be using for VIP and NAT is the interface IP of the VPN interface (same name with Phase1-Interface name). Not at the phase2-interface config.
 
config system interface
   edit "PHASE1-NAME"
      set ip 10.209.251.56 255.255.255.255
      set allowaccess ping
      set type tunnel
      set remote-ip x.x.x.x 255.255.255.255
      set interface WAN-INTERFACE
   next
end
 
#4
tsalmark
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/03 13:23:17
  • Status: offline
Re: IPsec with local IP different than subnet range. 2019/11/04 15:05:03 (permalink)
0
I have gotten NAT working as needed.
This is closed
 
#5
Jump to:
© 2019 APG vNext Commercial Version 5.5