Hot!Set up vpn interface behind NAT

Author
Eugene Belyayev
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/10 07:21:26
  • Status: offline
2020/06/11 04:01:47 (permalink) 6.2
0

Set up vpn interface behind NAT

Hello there. I'm trying to set up a VPN tunnel with the interface behind NAT. Our main connection uses PPoE interface which is basically directly connected to FortiGate, it works fine. The backup connection though is behind ADSL modem, so it uses a private IP as a source, I made a port forwarding for 500 and 4500 from ADSL modem, but it's still down. I'd really appreciate any help, since i'm not a network engineer and i'm kinda new to the fortignet.
Here are the diag commands:
diag vpn ike gateway
vd: root/0
name: BACKUP_Connection_btk
version: 1
interface: wan1 5
addr: 192.168.100.2:500 -> 3*.**.***.***:500
created: 20s ago
IKE SA: created 1/1
IPsec SA: created 0/0

id/spi: 22767 796fed2d927050f4/0000000000000000
direction: initiator
status: connecting, state 3, started 20s ago

diag vpn tunnel list
name=BACKUP_Connection_btk ver=1 serial=5 192.168.100.2:0->3*.**.***.*** dst_mtu=0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=9 ilast=23 olast=23 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=MSQtoCER350_btk proto=0 sa=0 ref=1 serial=3
src: 0:10.100.0.0/255.255.0.0:0
dst: 0:10.31.0.0/255.255.0.0:0 0:10.0.19.0/255.255.255.0:0 0:10.1.19.0/255.255.255.0:0 0:10.198.0.0/255.255.0.0:0 0:10.55.1.0/255.255.255.0:0 0:10.31.18.0/255.255.255.0:0
post edited by Eugene Belyayev - 2020/06/11 04:31:03

Thank you!
Eugene Belyayev
IT Administration
#1

13 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2339
    • Scores: 227
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: online
    Re: Set up vpn interface behind NAT 2020/06/11 09:32:45 (permalink)
    0
    Looks like one way. You need to run IKE debugging in the KB.
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611
    That would tell if it's receiving something, or nothing.
    #2
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:07:30 (permalink)
    0
    Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
    #3
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:07:30 (permalink)
    0
    Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
    #4
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:07:30 (permalink)
    0
    Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
    #5
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:07:31 (permalink)
    0
    Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
    #6
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:07:32 (permalink)
    0
    Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
     
    Also with some ptp ipsec tunnel between Fortigates I ran into issues of ike creating "dead ends" if the other end is not yet available due to Phase1 autonegotiation preventing the vpn from coming up. IKE Debuggin helped here.
     
    sorry for the multiplication of my post. Wasn't my intention but some unexpected malfunction of the forum software.
    post edited by sw2090 - 2020/06/15 06:10:34
    #7
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:07:32 (permalink)
    0
    Also you should check if your wan interface has a static wan ip or not. If not you have to use some dyndns service because the client needs a static remote gateway. If your FGT is using Fortinet DNS Servers you could do that with the built in FortiDDNs service.
    #8
    James_G
    Gold Member
    • Total Posts : 250
    • Scores: 11
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 06:19:29 (permalink)
    0
    Is your backup link dedicated to just this fortigate, if so I would swap the router for a Draytek vigor 130 modem and just have a pppoe connection.
     
    Thoughts?
    #9
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 07:36:36 (permalink)
    0
    hm I am removing the pppoe direct connections and replace those modems by Lancom Routers that do pppoe on their dsl interface and connect to my FGTs via ethernet.
    IPSec works fine with that. You only need the Portforwards (500 udp for IPSec and 4500 udp for NAT Traversal) if you want to be abele to establish the vpn from outside.
    For the FGTs ability to establish it from inside they don't matter.
    You just need policies and maybe routes or een do ipsec mode config if you don't want all traffic to go over the tunnel.
    #10
    James_G
    Gold Member
    • Total Posts : 250
    • Scores: 11
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/15 09:31:03 (permalink)
    0
    Does that still use main mode IKE when you pass through NAT?
     
    Edit - poss not an issue with IKE v2
    post edited by James_G - 2020/06/15 09:34:36
    #11
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/16 00:03:51 (permalink)
    0
    Just looked into on of mine:
     
    config vpn ipsec phase1-interface
        edit "tunnel pahse1 name"
            set interface "port15"
            set ike-version 2
            set keylife 3600
            set peertype any
            set proposal aes256-sha256
            set negotiate-timeout 15
            set dpd on-idle
            set npu-offload disable
            set dhgrp 14
            set nattraversal disable
            set remote-gw <ip of gw>
            set psksecret ENC <hash>
            set dpd-retryinterval 5
        next
    end
    #12
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/16 00:05:01 (permalink)
    0
    config vpn ipsec phase2-interface
        edit "phase name"
            set phase1name "phase1 name"
            set proposal aes256-sha256
            set dhgrp 14
            set keepalive enable
            set keylifeseconds 1800
        next
    end
     
    #13
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Set up vpn interface behind NAT 2020/06/16 00:06:23 (permalink)
    0
    On this one I am using IKE v2. It is not using mode config and it does not use pahse2 selectors (in gui you woud se 0.0.0.0/0.0.0.0 there) as I dont need them because my sttic routes plus policies specifiy what goes over the tunnels.
     
    Both ends are behind external (Lancom) Routers with NAT and it even works without using NAT Traversal here :)
     
    This works fine here.
     
    #14
    Jump to:
    © 2020 APG vNext Commercial Version 5.5