FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
APAC_Beta_FTNT
Article Id 189575
Description
This article provides an example of configuring a FortiGate unit for uni-directional traffic with NAT IP via IPSec VPN.

This solution will be useful for users with multiple devices/machines behind a FortiGate unit "A" and would like the devices/machines behind FortiGate unit "B" to only see a single IP address.

Solution
jchoa_NATed IP.png

Assumptions:

1. Traffic directions will only be from Client -> Server and NOT vice versa
2. All the traffic originating from the Client will be NATed to a single IP ~ 192.168.227.253/32
3. IPSec VPN set up in Tunnel Mode (Policy-based VPN)

Configurations On "Client-110C":

Firewall Address:
config firewall address
    edit "LAN"
        set subnet 10.126.0.0 255.255.255.0
    next
    edit "Remote"
        set subnet 10.142.0.0 255.255.255.0
    next
end

Firewall Policy:
config firewall policy
    edit 1
        set srcintf <Internal Interface>
        set dstintf <External Interface>
            set srcaddr "LAN"
            set dstaddr "Remote"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set logtraffic enable
        set natip 192.168.227.253 255.255.255.255  <--- This is the IP that all the outgoing traffic will be NATed to
        set inbound enable
        set outbound enable
        set natoutbound enable  <--- This is to NAT all the outgoing traffic to 192.168.227.253/32
        set vpntunnel "to-110C"
    next

IPSec VPN Configuration:
Phase 1:
config vpn ipsec phase1
    edit "to-Server-110C"
        set interface <External Interface>
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 192.168.146.21
        set psksecret fortinet
    next
end

Phase 2:
config vpn ipsec phase2
    edit "to-Server-110C-p2"
        set pfs disable
        set phase1name "to-Server-110C"
        set proposal 3des-sha1 aes128-sha1
        set src-addr-type ip
        set use-natip disable  <--- this is to ensure that when the traffic goes into the tunnel, it will not be NATed to the IP of the External interface, by default, this is Enabled
        set dst-subnet 10.142.0.0 255.255.255.0
        set keylifeseconds 3600
        set src-start-ip 192.168.227.253  <--- this is important to ensure that the outbound traffic into the VPN tunnel is allowed. Otherwise, traffic will be dropped with an "IPSec Selector mismatch" error
    next
end

Configurations on "Server-110C"

Firewall Address:
config firewall address
    edit "LAN"
        set subnet 10.142.0.0 255.255.254.0
    next
    edit "NATed-IP"
        set subnet 192.168.227.253 255.255.255.255
    next
end


Firewall Policy:
config firewall policy
    edit 1
        set srcintf <Internal Interface>
        set dstintf <External Interface>
            set srcaddr "LAN"
            set dstaddr "NATed-IP"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set inbound enable
        set outbound enable
        set vpntunnel "to-1KC"
    next
end

IPSec VPN Configuration:
Phase1: 
config vpn ipsec phase1
    edit "to-Client-110C"
        set interface <External Interface>
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 192.168.146.15
        set psksecret fortinet
    next
end

Phase2:
config vpn ipsec phase2
    edit "to-Client-110C-p2"
        set dst-addr-type ip
        set pfs disable
        set phase1name "to-Client-110C"
        set proposal 3des-sha1 aes128-sha1
        set dst-start-ip 192.168.227.253 <--- this is important to ensure that the outbound traffic into the VPN tunnel is allowed. Otherwise, traffic will be dropped with an "IPSec Selector mismatch" error
        set keylifeseconds 3600
        set src-subnet 10.142.0.0 255.255.255.0
    next
end

Contributors