Hot!A service for WAN on a server behind 2 fortigates with IPSec VPN between them

Author
rreimche
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/08/03 11:31:01
  • Status: offline
2021/08/04 03:45:32 (permalink) 5.2
0

A service for WAN on a server behind 2 fortigates with IPSec VPN between them

Hello der Fortinet Community,
 
I am new to Fortigates and I have the case depicted on the attached picture: A server in LAN 2 (Interface L2) behind the Fortigate 2 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) which is beign addressed from WAN (Interface W) through the Fortigate 1 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) and IPSec VPN (Interfaces V1, V2, which are the VPN interfaces). The server runs a number of services that should be accessible from WAN. Lets take FTP as one example.
 
I have the following relevant policies of the Fortigate 1.
 
F1.I. WAN - V1: Source: all; Destination: Server (Virtual IP); Schedule: always; Service: FTP; Action: accept; NAT: enable.
F1.II: V1 - WAN: Source: all; Destination: all; Schedule: always; Service: all; Action: accept; NAT: enable.
 
The Virtual IP object "Server" has the following configuration:

Interface: W1,
Type: static NAT,
Source Address Filter: disabled,
External IP Address/Range: 0.0.0.0 - 0.0.0.0
Internal IP Address/Range: xxx.yyy.zzz.nnn - xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2)
Port Forwarding: enabled,
Protocol: TCP,
External Service Port: 21 - 21
Internal Service Port: 21 - 21
 
Besides that, I have the following relevant policies on the Fortigate 2.
 
F2.I V2 - L2: Source: all; Destinastion: Server (Address); Schedule: always; Service: FTP, Action: accept; NAT: disable.
F2.II L2 - V2: Nothing... but should I have an accepting policy for Server -> all?
 
The Address object "Server" has the following configuration:

Type: IP/Netmask,
Subnet / IP Range: xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2),
Interface: any,
Show in Address List: yes.
 
When I try to connect via FTP from WAN using the address of the WAN-Interface, I see the number of packets increasing on F1.I, but nowhere else and, obviously, I cant establish a connection. Could you please help me with what and how I should change to allow the required connectivity?
 

Attached Image(s)

#1

4 Replies Related Threads

    rreimche
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/03 11:31:01
    • Status: offline
    Re: A service for WAN on a server behind 2 fortigates with IPSec VPN between them 2021/08/04 06:26:56 (permalink)
    0
    I suppose, the settings of the VPN Tunnel may be also relevant, so here are they.
     
    At Fortigate 1:
    Network
    IP Version: IPv4
    Remote Gateway: Dynamic DNS
    Dynamic DNS: ourdomain.dyndns.org
    Interface: W
    Mode Config: disabled
    NAT Traversal: enabled
    Keepalive Frequency: 10
    Dead Peer Detection: enabled
    Authentification
    Method: Pre-Shared Key
    Pre-shared Key: secret
    IKE Version: 1
    IKE Mode: Main (ID Protection)
    Phase 1 Proposal
    Algorithms: AES128-SHA256
    Diffie-Hellman Groups: 14, 5
    XAUTH
    Type: Disabled
    Phase 2 Selectors
    Name: V1
    Local Address: Subnet 0.0.0.0/0.0.0.0
    Remote Address: Subnet 0.0.0.0/0.0.0.0
    (here we have several pairs of Encryption and Authentication types, I omit them)
    Enable Replay Detection: enabled
    Enable Perfect Forward Secrecy (PFS): enabled
    Diffie-Hellman Groups: 14, 5
    Local Port: All
    Remote Port: All
    Protokoll: All
    Autokey Keep Alive: disabled
    Auto-negotiate: enabled
    Key lifetime: 43200 seconds
     
    Fortigate 2: everything is identical except:
    Remote Gateway: Static IP Address.
    IP Address: our static IP address of W
    Interface: the local WAN-Interface of the Site where Fortinet 2 functions
    Auto-negotiate: disabled.
     
     
     
    #2
    rreimche
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/03 11:31:01
    • Status: offline
    Re: A service for WAN on a server behind 2 fortigates with IPSec VPN between them 2021/08/04 08:57:03 (permalink)
    0
    After reading the following to articles 
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD38709
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD48688
     
    I've disabled NAT on the F1.I and I have also found the sniffer. Now I see that I'm receiving the packets on V2:
     
    # diag sniff packet any "host xxx.yyy.zzz.nnn and tcp port 21" 4
    interfaces=[any]
    filters=[host xxx.yyy.zzz.nnn and tcp port 21]
    4.711693 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320
    16.712715 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320

     
    However, I don't see them leaving on L2.
    #3
    rreimche
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/03 11:31:01
    • Status: offline
    Re: A service for WAN on a server behind 2 fortigates with IPSec VPN between them 2021/08/04 09:33:42 (permalink)
    0
    I think I have found the problem: 
    # diag debug flow trace start 100
    id=20085 trace_id=1 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=6, aaa.bbb.ccc.ddd:56977->xxx.yyy.zzz.nnn:21) from V2. flag [S], seq 4154323049, ack 0, win 5840"
    id=20085 trace_id=1 func=init_ip_session_common line=4645 msg="allocate a new session-000cebfd"
    id=20085 trace_id=1 func=ip_route_input_slow line=1274 msg="reverse path check fail, drop"

    This seems to be a related article: https://kb.fortinet.com/kb/documentLink.do?externalID=FD30543
     
    Now I need to find out if I should disable the RPF or reconfigure the other Fortigate to NAT the packets.
    #4
    rreimche
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/03 11:31:01
    • Status: offline
    Re: A service for WAN on a server behind 2 fortigates with IPSec VPN between them 2021/08/04 09:50:52 (permalink)
    0
    I have change F1.I to NAT and then added the external IP Address of the Fortigate 1 to the routing table of the Fortigate 2 statically. Now I seem to have the connection. The problem seems to be solved now.
    #5
    Jump to:
    © 2021 APG vNext Commercial Version 5.5