Technical Tip: IPSec VPN with outbound NAT for overlapped subnets - FortiOS v2.80

Solution

This article describes how to configure a FortiOS v2.80 gateway to gateway IPSec tunnel and use outbound NAT for the VPN tunnel to allow connections between overlapped subnet addresses on both sides of the tunnel.

After the tunnel is established, hosts on each side can communicate with hosts on the other side using mapped IP addresses. For example, PC1 can communicate with PC2 using IP address 30.30.30.200. Firewall 2 maps connections for IP address 30.30.30.200 to IP address 192.168.1.200.

Note: This feature is not available in v2.80 b184 and b219.

For information about creating this configuration in FortiOS 3.0, see IPSec VPN with outbound NAT for overlapped subnets (FortiOS 3.0).

Products

The sample configuration uses the following releases of the FortiGate Antivirus Firewalls:

- FortiGate 300 v2.80 b249.

- FortiGate 400 v2.80 b249.

Network
Diagram

VPN policy 1.

local:192.168.1.0/24-remote:30.30.30.0/24

local subnet NAT out as 20.20.20.0/24

VPN policy 2.

local:192.168.1.0/24-remote:20.20.20.0/24

local subnet NAT out as 30.30.30.0/24

Prerequisites

The configuration is based on the following assumptions:

- The IP address of the external interface for both firewalls is the public IP address.

- The default gateway for both firewalls is pointed to an address on the external interface.

- Addresses but not address groups have been used in the IPSec tunnel policy.

Configurations

Firewall1 FortiGate-300 configuration.

# config system interface

    edit "internal"

        set ip 192.168.1.1 255.255.255.0

    next

        edit "external"

        set ip 64.114.95.229 255.255.255.128

    next

end

# config vpn ipsec phase1

    edit "FG400"

        set dpd enable

        set nattraversal enable

        set proposal 3des-sha1 3des-md5

        set keepalive 5

        set psksecret 123456

        set remotegw 64.114.95.228

    next

end

# config vpn ipsec phase2

    edit "mytunnel"

        set pfs enable

        set phase1name FG400

        set proposal 3des-sha1 3des-md5

        set replay enable

        set wildcardid enable

    next

end

# config firewall address

    edit "vpn-remote"

        set subnet 30.30.30.0 255.255.255.0

    next

        edit "vpn-local"

            set subnet 192.168.1.0 255.255.255.0

        next

    end

# config firewall policy

    edit 2

        set srcintf "internal"

        set dstintf "external"

        set srcaddr "vpn-local"

        set dstaddr "vpn-remote"

        set action encrypt

        set schedule "always"

        set service "ANY"

        set natip 20.20.20.0 255.255.255.0

        set inbound enable

        set outbound enable

        set natoutbound enable

        set vpntunnel "mytunnel"

    next

end

Firewall2 FortiGate-400 configuration.

# config system interface

    edit "port1"

        set ip 192.168.1.1 255.255.255.0

    next

    edit "port2"

        set ip 64.114.95.228 255.255.255.128

    next

end

# config vpn ipsec phase1

    edit "FG300"

        set dpd enable

        set nattraversal enable

        set proposal 3des-sha1 3des-md5

        set keepalive 5

        set psksecret 123456

        set remotegw 64.114.95.229

    next

end

# config vpn ipsec phase2

    edit "mytunnel"

        set pfs enable

        set phase1name FG300

        set proposal 3des-sha1 3des-md5

        set replay enable

        set wildcardid enable

    next

end

# config firewall address

    edit "vpn-remote"

        set subnet 20.20.20.0 255.255.255.0

    next

    edit "vpn-local"

        set subnet 192.168.1.0 255.255.255.0

    next

end

# config firewall policy

    edit 2

        set srcintf "port1"

        set dstintf "port2"

        set srcaddr "vpn-local"

        set dstaddr "vpn-remote"

        set action encrypt

        set schedule "always"

        set service "ANY"

        set natip 30.30.30.0 255.255.255.0

        set inbound enable

        set outbound enable

        set natoutbound enable

        set vpntunnel "mytunnel"

    next

end

Verifying the results

Verifying on PC1.

PC1 is able to ping/telnet to PC2:

·          ping 30.30.30.200

·          telnet 30.30.30.200

PC2 is able to ping/telnet to PC1:

·          ping 20.20.20.100

·          telnet 20.20.20.100

Verifying Firewall1 FG300 status.

FG300U # diag vpn t l

tunnel[5]:mytunnel, gateway:64.114.95.228:500, hub=, option=38

   eroute[2]:{[192.168.1.*]}->{[30.30.30.*]}

   channel[2]:64.114.95.229,natt=0,state=2,keepalive=0,oif=3

     sa[4]:mtu=1434, cur_bytes=268492, timeout=238

     itdb[1]:mtu=1434, cur_bytes=99904, cur_packets=1561, spi=909ea428, replay=64

          3DES=f91008661b624754af54d579262b15fcd36474f010e2e0f1

          iv=0000000000000000

          SHA1_HMAC=0d5aedeae263178811ffb69e7dc48adf1d513a8c

     otdb[1]:mtu=1434, cur_bytes=99904, cur_packets=1561, spi=f364b87f, replay=64

          3DES=d3168c419fe0c32255bd9accd1a1734053b5186f5d18ae32

          iv=12a43de1f9aeb3c1

          SHA1_HMAC=c1dee7b41d287cb89a6e1ab3e0cb68b48dcdaf9d

FG300U # diag sys sess list

session info: proto=1 proto_state=00 expire=30 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec      traffic=0/sec   prio=0  logtype=session ha_id=0 hakey=8236

tunnel=mytunnel/

state=oe may_dirty

statistic(bytes/packets): org=202380/3373 reply=202320/3372 tuples=2

orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/192.168.1.100

hook=post dir=org act=snat192.168.1.100:768->30.30.30.200:8(20.20.20.100:768)

hook=pre dir=reply act=dnat 30.30.30.200:768->20.20.20.100:0(192.168.1.100:768)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000001b9 tos=ff/ff

Verifying the Firewall2 status

      FG400B # diag vpn t l

tunnel[5]:mytunnel, gateway:64.114.95.229:500, hub=, option=38

   eroute[2]:{[192.168.1.*]}->{[20.20.20.*]}

   channel[2]:64.114.95.228,natt=0,state=2,keepalive=0,oif=3

     sa[4]:mtu=1434, cur_bytes=296872, timeout=74

     itdb[1]:mtu=1434, cur_bytes=110464, cur_packets=1726, spi=f364b87f, replay=64

          3DES=d3168c419fe0c32255bd9accd1a1734053b5186f5d18ae32

          iv=0000000000000000

          SHA1_HMAC=c1dee7b41d287cb89a6e1ab3e0cb68b48dcdaf9d

     otdb[1]:mtu=1434, cur_bytes=110464, cur_packets=1726, spi=909ea428, replay=64

          3DES=f91008661b624754af54d579262b15fcd36474f010e2e0f1

          iv=94bcd063f7c52a1e

          SHA1_HMAC=0d5aedeae263178811ffb69e7dc48adf1d513a8c

FG400B # diag sys sess li

session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3

bandwidth=0/sec guaranteed_bandwidth=0/sec      traffic=0/sec   prio=0  logtype=

session ha_id=0 hakey=5676

tunnel=/mytunnel

state=re may_dirty

statistic(bytes/packets): org=210960/3516 reply=210960/3516 tuples=2

orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=192.168.1.200/64.114.95.254

hook=pre dir=org act=dnat 20.20.20.100:768->30.30.30.200:8(192.168.1.200:8)

hook=post dir=reply act=snat 192.168.1.200:8->20.20.20.100:0(30.30.30.200:768)

misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000000d7 tos=ff/ff

Troubleshooting

# diag deb enabl <----– Enable output on remote console.

#  diag deb app ike <----– Display IPSec IKE negotiates.

# diag sniff packets <----- Display packets coming in and out on interfaces.