Introduction | This article describes how to configure a route based IPSec tunnel and use outbound NAT to allow connections between overlapped subnet addresses on both sides of the tunnel. As with the route-based solution, users
contact hosts at the other end of the VPN using an alternate subnet
address. PC1 communicates with PC2 using IP address 10.31.101.10, and
PC2 communicates with PC1 using IP address 10.21.101.10. In
this solution however, outbound NAT is used to translate the source
address of packets from the 10.11.101.0/24 network to the alternate
subnet address that hosts at the other end of the VPN use to reply.
Inbound packets from the remote end have their destination addresses
translated back to the 10.11.101.0/24 network. For
example, PC1 uses the destination address 10.31.101.10 to contact PC2.
Outbound NAT on FortiGate_1 translates the PC1 source address to
10.21.101.10. At the FortiGate_2 end of the tunnel, the outbound NAT
configuration translates the destination address to the actual PC2
address of 10.11.101.10. Similarly, PC2 replies to PC1 using destination
address 10.21.101.10, with the PC2 source address translated to
10.31.101.10. PC1 and PC2 can communicate over the VPN even though they
both have the same IP address. | ||||||||||||||||
Products | The sample configuration uses the following FortiGate Antivirus Firewalls:
|
||||||||||||||||
Prerequisites | • You need to: • Configure IPsec Phase 1 as you usually would for a policy-based VPN. • Configure IPsec Phase 2 with the use-natip disable CLI option. • Define a firewall address for the local private network, 10.11.101.0/24. • Define a firewall address for the remote private network: • Define a firewall address for 10.31.101.0/24 on FortiGate_1 • Define a firewall address for 10.21.101.0/24 on FortiGate_2 • Configure an outgoing IPsec security policy with outbound NAT to map 10.11.101.0/24 source addresses: • to the 10.21.101.0/24 network on FortiGate_1 • to the 10.31.101.0/24 network on FortiGate_2 | ||||||||||||||||
Configurations | To configure IPsec Phase 2 - CLI config vpn ipsec phase2 edit "FGT1_FGT2_p2" set keepalive enable set pfs enable set phase1name FGT1_to_FGT2 set proposal 3des-sha1 3des-md5 set replay enable set use-natip disable end In this example, your phase 1 definition is named FGT1_to_FGT2. use‑natip is set to disable, so you can specify the source selector using the src‑addr‑type, src-start-ip / src-end-ip or src-subnet keywords. This example leaves these keywords at their default values, which specify the subnet 0.0.0.0/0. The pfs
keyword ensures that perfect forward secrecy (PFS) is used. This
ensures that each Phase 2 key created is unrelated to any other keys in
use. To define the local private network firewall address 1. Go to Firewall Objects > Address > Addresses and select Create New. 2. Enter the following information and select OK.
To define the remote private network firewall address 1. Go to Firewall Objects > Address > Addresses and select Create New. 2. Enter the following information, and select OK:
To configure the IPsec security policy In the CLI on FortiGate_1, enter the commands: config firewall policy edit 1 set srcintf "port1" set dstintf "port2" set srcaddr "vpn-local" set dstaddr "vpn-remote" set action ipsec set schedule "always" set service "ANY" set inbound enable set outbound enable set vpntunnel "FGT1_to_FGT2" set natoutbound enable set natip 10.31.101.0 255.255.255.0 end Optionally, you can set everything except natip in the web-based manager and then use the CLI to set natip. Enter the same commands on FortiGate_2, but set natip be 10.21.101.0 255.255.255.0.
| ||||||||||||||||
Troubleshooting |
|
Related Articles
IPSec VPN with outbound NAT for overlapped subnets - FortiOS v2.80
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.