Fortigate IPSEC VPN Issue

vpn ipsec site-to-site-vpn fortinet fortigate

12,761

It seems you've run into the conundrum of bad Fortinet jargon. You want to NAT the source IP of IPsec packets? Oh... that'll be the Local Gateway Address.

Jokes aside, it seems that your config is good, except for that darn IPsec NAT setting.

Given:

Internal src address => IPsec packets (qualified by src/dst) ~~ NATed to a public IP => ISP router

You must use the Local Gateway Address in the Phase 1 config as the NATed to (global) address.

Remember to bind this IP to the interface, or else you won't get packets destined for the IP to the interface (duh!).

config system settings 
set allow-subnet-overlap enable #if applicable
end
config system interface
edit [interface name]
set secondary-IP
end

I wrote a blog about it... Wanna hear it? Here it go: http://mbrownnyc.wordpress.com/2011/11/11/fortigate-vpn-problems-tell-your-fortigate-what-to-do/

12,761

natediggs

Updated on September 18, 2022

Comments

natediggs almost 2 years
Have a challenging question here.

We have a Fortigate 620B which we're trying to use to route some traffic over a VPN tunnel to a customer.

We want the traffic to go out of our interface with one of our public IPs (we have it set to NAT the address using a specific public IP address) to a public IP on the client end.

I've got a configuration that I believe SHOULD work except the traffic as it hits the link says that it's coming from our internal IP address (192.168.X.X) instead of the public IP address (x.x.x.x).

The error we get in the logs:
```
id=13 trace_id=368 msg="vd-root received a packet(proto=6, 192.168.XX.XX:50470->XX.XX.183.94:443) from port8. flag [S], seq 342573222, ack 0, win 8192"
id=13 trace_id=368 msg="Find an existing session, id-0a2bb411, original direction"
id=13 trace_id=368 msg="enter IPsec interface-XXX_P2P"
id=13 trace_id=368 msg="No matching IPsec selector, drop"
```
It drops the packet because the quick mode selector on the VPN is set to use our public IP instead of our private IP.

The challenge here is that us and our client use the same private IP space so we have to NAT both end of the traffic.

To get around that I have one Phase 1 proposal and two Phase 2 Proposals.

The routing rules work because the static route guides the packet to the VPN interface and the policy rules work but for some reason the NAT isn't working properly.

I'm happy to provide any information I can to help troubleshoot.