Technical Tip: IPSec VPN with outbound NAT for multiple subnets

Description

This article describes how to configure a FortiOS v2.80 gateway-to-gateway IPSec tunnel and use outbound NAT for the tunnel to allow connections between overlapped subnet addresses on both sides of the tunnel. This article also describes using multiple policies to overcome the restriction that IPsec-NAT-out does not support address groups.

After the tunnel is established, hosts on each side can communicate with hosts on the other side using mapped IP addresses. For example, the PC (see the diagram below) can communicate with the Server using IP address 40.40.40.200.

Firewall 1 maps connections for IP address 30.30.30.200 to IP address 10.1.1.1. The router than maps this IP address to 172.16.254.10.

Note.

This feature is not available in v2.80 MR3 build 184 and MR4 build 219.

Products

The sample configuration uses the following versions of the FortiGate Antivirus Firewall:

- FortiGate-300 v2.80 build 249.

- FortiGate-400 v2.80 build 249.

Network
Diagram

VPN policy 1.

local:10.1.1.0/24-remote:40.40.40.0/24

local subnet NAT out as 20.20.20.0/24

VPN policy 2

local:172.16.254.0/24-remote:40.40.40.0/24

local subnet NAT out as 30.30.30.0/24

VPN policy.

local:10.1.1.0/24

remote:20.20.20.0/24 and 30.30.30.0/24

local subnet NAT out as 40.40.40.0/24

Prerequisites

The configuration is based on the following assumptions:

- The IP address of the external interface for both firewalls is the public IP address.

- The default gateway for both firewalls is pointed to a address on the external interface.

Configurations

Cisco router configuration.

          interface fasterethernet 0/0

               ip address 10.1.1.1 255.255.255.0

          interface fasterethernet 0/1

               ip address 172.16.254.1 255.255.255.0

          ip route 40.40.40.0 255.255.255.0 10.1.1.10

Firewall1 FortiGate-300 configuration.

# config system interface

    edit 'internal'

        set ip 10.1.1.10 255.255.255.0

    next

    edit 'external'

        set ip 64.114.95.228 255.255.255.128

    next

end

# config vpn ipsec phase1

    edit 'FG400'

        set dpd enable

        set nattraversal enable

        set proposal 3des-sha1 3des-md5

        set psksecret 123456

        set remotegw 64.114.95.229

    next

end

# config vpn ipsec phase2

    edit 'FG300'

        set pfs enable

        set phase1name FG400

        set proposal 3des-sha1 3des-md5

        set replay enable

        set wildcardid enable

    next

end

# config firewall address

    edit 'all'

    next

    edit 'vpn-local-10'

        set subnet 10.1.1.0 255.255.255.0

    next

    edit 'vpn-local-172'

        set subnet 172.16.254.0 255.255.255.0

    next

    edit 'vpn-remote-40'

        set subnet 40.40.40.0 255.255.255.0

    next

end

# config firewall policy

    edit 3

        set srcintf 'internal'

        set dstintf 'external'

        set srcaddr 'vpn-local-172'

        set dstaddr 'vpn-remote-40'

        set action encrypt

        set schedule 'always'

        set service 'ANY'

        set natip 30.30.30.0 255.255.255.0

        set inbound enable

        set outbound enable

        set natoutbound enable

        set vpntunnel 'FG300'

    next

    edit 2

        set srcintf 'internal'

        set dstintf 'external'

        set srcaddr 'vpn-local-10'

        set dstaddr 'vpn-remote-40'

        set action encrypt

        set schedule 'always'

        set service 'ANY'

        set natip 20.20.20.0 255.255.255.0

        set inbound enable

        set outbound enable

        set natoutbound enable

        set vpntunnel 'FG300'

    next

end

# config router static

    edit 2

        set device 'internal'

        set dst 172.16.254.0 255.255.255.0

        set gateway 10.1.1.1

    next

end

Firewall2 FortiGate-400 configuration.

# config vpn ipsec phase1

    edit 'FG300'

        set dpd enable

        set nattraversal enable

        set proposal 3des-sha1 3des-md5

        set psksecret 123456

        set remotegw 64.114.95.228

    next

end

# config vpn ipsec phase2

    edit 'FG300'

        set pfs enable

        set phase1name FG300

        set proposal 3des-sha1 3des-md5

        set replay enable

        set wildcardid enable

    next

end

# config firewall address

    edit 'all'

    next

    edit 'vpn-remote-20'

        set subnet 20.20.20.0 255.255.255.0

    next

    edit 'vpn-remote-30'

        set subnet 30.30.30.0 255.255.255.0

    next

    edit 'vpn-local'

        set subnet 10.1.1.0 255.255.255.0

    next

end

# config firewall addrgrp

    edit 'vpn-remote'

            set member 'vpn-remote-20' 'vpn-remote-30'            

    next

end

# config firewall policy 

    edit 1

        set srcintf 'port1'

        set dstintf 'port2'

        set srcaddr 'vpn-local'

        set dstaddr 'vpn-remote'

        set action encrypt

        set schedule 'always'

        set service 'ANY'

        set natip 40.40.40.0 255.255.255.0

        set inbound enable

        set outbound enable

        set natoutbound enable

        set vpntunnel 'FG300'

    next

end

Verifying the results

Verifying on the PC and Server.

            PC is able to access Server

        ping 30.30.30.10

        telnet 30.30.30.10

        http://30.30.30.10/

            Server is able to access PC

                ping 40.40.40.1

Verifying the Firewall1 FG300 status.

Fortigate-300 # diag vpn t l

tunnel[8]:FG300, gateway:64.114.95.229:500, hub=, option=38

   eroute[2]:{[172.16.254.*]}->{[40.40.40.*]}

   eroute[2]:{[10.1.1.*]}->{[40.40.40.*]}

   channel[2]:64.114.95.228,natt=0,state=2,keepalive=0,oif=3

     sa[4]:mtu=1434, cur_bytes=6380, timeout=1776

     itdb[1]:mtu=1434, cur_bytes=2552, cur_packets=29, spi=9f23f35f, replay=64

          3DES=bdf1f899c964123f33d260a8d1fc2dc0f806c5703d0b4cbc

          iv=0000000000000000

          SHA1_HMAC=f34f3cee9324e7d55d66af5bd51fb45a0efe054e

     otdb[1]:mtu=1434, cur_bytes=2552, cur_packets=29, spi=48f32f37, replay=64

          3DES=2a7037ac9ed3d76f6184b86aea63edf9ab3859fd37eef53a

          iv=edfea69f26323700

          SHA1_HMAC=302b6c99a26b3acb11e03fae2e15f7b082e7a1b6

Fortigate-300 # diag sys sess li

session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec      traffic=0/sec   prio=0  logtype=

session ha_id=0 hakey=10498

tunnel=/FG300

state=re may_dirty

statistic(bytes/packets): org=6384/76 reply=6384/76 tuples=2

orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=10.1.1.1/64.114.95.254

hook=pre dir=org act=dnat 40.40.40.1:4438->20.20.20.1:8(10.1.1.1:8)

hook=post dir=reply act=snat 10.1.1.1:8->40.40.40.1:0(20.20.20.1:4438)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=00000f17 tos=ff/ff

session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec      traffic=0/sec   prio=0  logtype=

session ha_id=0 hakey=9739

tunnel=/FG300

state=re may_dirty

statistic(bytes/packets): org=6888/82 reply=6888/82 tuples=2

orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=10.1.1.1/64.114.95.254

hook=pre dir=org act=dnat 40.40.40.1:4182->30.30.30.10:8(172.16.254.10:8)

hook=post dir=reply act=snat 172.16.254.10:8->40.40.40.1:0(30.30.30.10:4182)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=00000f12 tos=ff/ff

Verifying the Firewall2 status.

Fortigate-400 # diag vpn t l

tunnel[6]:FG300, gateway:64.114.95.228:500, hub=, option=38

   eroute[2]:{[10.1.1.*]}->{[20.20.20.*][30.30.30.*]}

   channel[2]:64.114.95.229,natt=0,state=2,keepalive=0,oif=3

     sa[4]:mtu=1434, cur_bytes=83820, timeout=1598

     itdb[1]:mtu=1434, cur_bytes=33528, cur_packets=381, spi=48f32f37, replay=64

          3DES=2a7037ac9ed3d76f6184b86aea63edf9ab3859fd37eef53a

          iv=0000000000000000

          SHA1_HMAC=302b6c99a26b3acb11e03fae2e15f7b082e7a1b6

     otdb[1]:mtu=1434, cur_bytes=33528, cur_packets=381, spi=9f23f35f, replay=64

          3DES=bdf1f899c964123f33d260a8d1fc2dc0f806c5703d0b4cbc

          iv=05784ee548f10a00

          SHA1_HMAC=f34f3cee9324e7d55d66af5bd51fb45a0efe054e

Fortigate-400 # diag sys sess l

session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec      traffic=0/sec   prio=0  logtype=

session ha_id=0 hakey=5378

tunnel=FG300/

state=oe may_dirty

statistic(bytes/packets): org=20076/239 reply=20076/239 tuples=2

orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/10.1.1.1

hook=post dir=org act=snat 10.1.1.1:4438->20.20.20.1:8(40.40.40.1:4438)

hook=pre dir=reply act=dnat 20.20.20.1:4438->40.40.40.1:0(10.1.1.1:4438)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=00001253 tos=ff/ff

session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec      traffic=0/sec   prio=0  logtype=

session ha_id=0 hakey=7947

tunnel=FG300/

state=oe may_dirty

statistic(bytes/packets): org=20580/245 reply=20580/245 tuples=2

orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/10.1.1.1

hook=post dir=org act=snat 10.1.1.1:4182->30.30.30.10:8(40.40.40.1:4182)

hook=pre dir=reply act=dnat 30.30.30.10:4182->40.40.40.1:0(10.1.1.1:4182)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=0000124e tos=ff/ff

Troubleshooting

# diag deb enable: Enable output on remote console.

# diag deb app ike 2: Display IPsec IKE negotiates.

# diag sniff packets: Display packets coming in and out on interfaces.