Hot!Unable to configure behind-NAT Fortigate IPsec VPN with GCP

Author
Timor
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 01:27:32
  • Status: offline
2020/01/23 02:38:17 (permalink)
0

Unable to configure behind-NAT Fortigate IPsec VPN with GCP

Hello,

We have a cloud services in Google Cloud (GCP) and we try to configure a vpn from our new offices and GCP.
 
The difference between our old offices and new ones, that now we are behind the NAT where in the old offices we were facing the Internet directly.
 
Our new offices is doing 1-to-1 NAT with our Fortigate.
Our Fortigate is 90E v5.4.1.
GCP supports 1-to-1 NAT with VPN peers but it restricts the peer to be able to identify itself with a public IP.
https://cloud.google.com/vpn/docs/support/troubleshooting#gateways_behind_nat
 
Our Fortigate because it is behind a NAT identifies itself with it's private IP which GCP rejects upon ikev2 authentication.
I have tried to play with:
local-gw, localid and nat-traversal but nothing helped when it comes to authentication with GCP Cloud VPN.
 
Please Help.
 
#1
NetFire
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/06/15 06:11:10
  • Status: offline
Re: Unable to configure behind-NAT Fortigate IPsec VPN with GCP 2020/01/23 03:18:55 (permalink)
0
did you open open 500-4500 UDP ports on NAT router?
post edited by NetFire - 2020/01/23 03:21:02
#2
Timor
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 01:27:32
  • Status: offline
Re: Unable to configure behind-NAT Fortigate IPsec VPN with GCP 2020/01/23 03:23:24 (permalink)
0
Yes, as the we are 1-to-1 NAT, meaning that we have a dedicated public IP for the office provider, and all traffic that is getting to this address is redirected to our Fortigate private IP address.
#3
NetFire
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/06/15 06:11:10
  • Status: offline
Re: Unable to configure behind-NAT Fortigate IPsec VPN with GCP 2020/01/23 06:26:42 (permalink)
0
Ok, same my scenario. 
 
In our offices we had two type of routing:
- NATted Modem/router with virtualIP/Virtual Server: Fortigates are behind them, with WAN private IP
- Transparent LAN port on modem/router: Fortigates is connected to a physical LAN port on router and has public WAN IP.
 
If you can, you must set up a Transparent IP mode on one LAN port on modem/router where the public IP pass as-is.
In this case you must have one IP for the modem/router and one IP for the Fortigate, and each modem/router port must be set as interface instead of switch
 
Which modem/router do you have?
#4
Timor
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 01:27:32
  • Status: offline
Re: Unable to configure behind-NAT Fortigate IPsec VPN with GCP 2020/01/26 04:13:17 (permalink)
0
Our office provider have a Cisco Meraki MX Router.
Thanks
post edited by Timor - 2020/01/26 04:14:37
#5
Jump to:
© 2020 APG vNext Commercial Version 5.5