Created on 10-12-2004 12:00 AM Edited on 06-03-2022 06:47 AM By Anthony_E
Solution |
This article describes how to configure a FortiOS v2.80 gateway to gateway IPSec tunnel and use outbound NAT for the VPN tunnel to allow connections between overlapped subnet addresses on both sides of the tunnel. After the tunnel is established, hosts on each side can communicate with hosts on the other side using mapped IP addresses. For example, PC1 can communicate with PC2 using IP address 30.30.30.200. Firewall 2 maps connections for IP address 30.30.30.200 to IP address 192.168.1.200. Note: This feature is not available in v2.80 b184 and b219.
For information about creating this configuration in FortiOS 3.0, see IPSec VPN with outbound NAT for overlapped subnets (FortiOS 3.0). |
Products |
The sample configuration uses the following releases of the FortiGate Antivirus Firewalls: - FortiGate 300 v2.80 b249. - FortiGate 400 v2.80 b249. |
Network |
VPN policy 1.
local:192.168.1.0/24-remote:30.30.30.0/24 local subnet NAT out as 20.20.20.0/24
VPN policy 2.
local:192.168.1.0/24-remote:20.20.20.0/24 local subnet NAT out as 30.30.30.0/24 |
Prerequisites |
The configuration is based on the following assumptions:
- The IP address of the external interface for both firewalls is the public IP address. - The default gateway for both firewalls is pointed to an address on the external interface. - Addresses but not address groups have been used in the IPSec tunnel policy. |
Configurations |
Firewall1 FortiGate-300 configuration.
# config system interface edit "internal" set ip 192.168.1.1 255.255.255.0 next edit "external" set ip 64.114.95.229 255.255.255.128 next end
# config vpn ipsec phase1 edit "FG400" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set keepalive 5 set psksecret 123456 set remotegw 64.114.95.228 next end
# config vpn ipsec phase2 edit "mytunnel" set pfs enable set phase1name FG400 set proposal 3des-sha1 3des-md5 set replay enable set wildcardid enable next end
# config firewall address edit "vpn-remote" set subnet 30.30.30.0 255.255.255.0 next edit "vpn-local" set subnet 192.168.1.0 255.255.255.0 next end
# config firewall policy edit 2 set srcintf "internal" set dstintf "external" set srcaddr "vpn-local" set dstaddr "vpn-remote" set action encrypt set schedule "always" set service "ANY" set natip 20.20.20.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel "mytunnel" next end
Firewall2 FortiGate-400 configuration.
# config system interface edit "port1" set ip 192.168.1.1 255.255.255.0 next edit "port2" set ip 64.114.95.228 255.255.255.128 next end
# config vpn ipsec phase1 edit "FG300" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set keepalive 5 set psksecret 123456 set remotegw 64.114.95.229 next end
# config vpn ipsec phase2 edit "mytunnel" set pfs enable set phase1name FG300 set proposal 3des-sha1 3des-md5 set replay enable set wildcardid enable next end
# config firewall address edit "vpn-remote" set subnet 20.20.20.0 255.255.255.0 next edit "vpn-local" set subnet 192.168.1.0 255.255.255.0 next end
# config firewall policy edit 2 set srcintf "port1" set dstintf "port2" set srcaddr "vpn-local" set dstaddr "vpn-remote" set action encrypt set schedule "always" set service "ANY" set natip 30.30.30.0 255.255.255.0 set inbound enable set outbound enable set natoutbound enable set vpntunnel "mytunnel" next end |
Verifying the results |
Verifying on PC1.
PC1 is able to ping/telnet to PC2: · ping 30.30.30.200 · telnet 30.30.30.200 PC2 is able to ping/telnet to PC1: · ping 20.20.20.100 · telnet 20.20.20.100
Verifying Firewall1 FG300 status.
FG300U # diag vpn t l tunnel[5]:mytunnel, gateway:64.114.95.228:500, hub=, option=38 eroute[2]:{[192.168.1.*]}->{[30.30.30.*]}
channel[2]:64.114.95.229,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=268492, timeout=238 itdb[1]:mtu=1434, cur_bytes=99904, cur_packets=1561, spi=909ea428, replay=64 3DES=f91008661b624754af54d579262b15fcd36474f010e2e0f1 iv=0000000000000000 SHA1_HMAC=0d5aedeae263178811ffb69e7dc48adf1d513a8c otdb[1]:mtu=1434, cur_bytes=99904, cur_packets=1561, spi=f364b87f, replay=64 3DES=d3168c419fe0c32255bd9accd1a1734053b5186f5d18ae32 iv=12a43de1f9aeb3c1 SHA1_HMAC=c1dee7b41d287cb89a6e1ab3e0cb68b48dcdaf9d
FG300U # diag sys sess list session info: proto=1 proto_state=00 expire=30 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype=session ha_id=0 hakey=8236 tunnel=mytunnel/ state=oe may_dirty statistic(bytes/packets): org=202380/3373 reply=202320/3372 tuples=2 orgin->sink: org pre->post, reply pre->post oif=3/2 gwy=64.114.95.254/192.168.1.100 hook=post dir=org act=snat192.168.1.100:768->30.30.30.200:8(20.20.20.100:768)
hook=pre dir=reply act=dnat 30.30.30.200:768->20.20.20.100:0(192.168.1.100:768)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000001b9 tos=ff/ff
Verifying the Firewall2 status FG400B # diag vpn t l tunnel[5]:mytunnel, gateway:64.114.95.229:500, hub=, option=38 eroute[2]:{[192.168.1.*]}->{[20.20.20.*]}
channel[2]:64.114.95.228,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=296872, timeout=74 itdb[1]:mtu=1434, cur_bytes=110464, cur_packets=1726, spi=f364b87f, replay=64 3DES=d3168c419fe0c32255bd9accd1a1734053b5186f5d18ae32 iv=0000000000000000 SHA1_HMAC=c1dee7b41d287cb89a6e1ab3e0cb68b48dcdaf9d otdb[1]:mtu=1434, cur_bytes=110464, cur_packets=1726, spi=909ea428, replay=64 3DES=f91008661b624754af54d579262b15fcd36474f010e2e0f1 iv=94bcd063f7c52a1e SHA1_HMAC=0d5aedeae263178811ffb69e7dc48adf1d513a8c
FG400B # diag sys sess li session info: proto=1 proto_state=00 expire=29 timeout=3600 use=3 bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 logtype= session ha_id=0 hakey=5676 tunnel=/mytunnel
state=re may_dirty statistic(bytes/packets): org=210960/3516 reply=210960/3516 tuples=2 orgin->sink: org pre->post, reply pre->post oif=2/3 gwy=192.168.1.200/64.114.95.254 hook=pre dir=org act=dnat 20.20.20.100:768->30.30.30.200:8(192.168.1.200:8)
hook=post dir=reply act=snat 192.168.1.200:8->20.20.20.100:0(30.30.30.200:768)
misc=0 domain_info=0 auth_info=0 cerb_info=0 ids=0 vd=0 serial=000000d7 tos=ff/ff |
Troubleshooting |
# diag deb enabl <----– Enable output on remote console. # diag deb app ike <----– Display IPSec IKE negotiates. # diag sniff packets <----- Display packets coming in and out on interfaces. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.