A Fortinet Site/Site IPSec VPN from a Valid Address…

May 17th, 2012 by Scott DeLand | Filed under Firewall, IPSec VPN.

It’s fairly common for two enterprises to temporarily connect their private data networks to each other for business purposes.  It’s actually pretty easy to do, especially when the main purpose of the connection is for one side to  access resources on the other.

However, over the past weeks we struggled a bit with a Fortinet firewall to connect to a Site-to-Site IPSec VPN.  Because in this case, we wanted to NAT all traffic destined for the distant network, and to have it appear to come from a valid address. 

All knowledge base articles we could find only showed NATing internal addresses.  Ultimately, the fix was to run the following lines from the Fortinet CLI (interestingly, no static/policy routes need to be added to the firewall):  

config vpn ipsec phase1 
edit "Phase 1 VPN Name"   
set interface *firewall external WAN interface*   
set nattraversal enable   
set proposal aes-md5 *or whatever encryption is used on the opposite end*   
set psksecret *Decided upon key*   
set remote-gw *IP Address of Remote Device* 
next
end
config vpn ipsec phase2  
edit "Phase 2 VPN Name"    
set keepalive enable    
set pfs enable    
set phase1name "Phase 1 VPN Name"    
set proposal aes-md5 *or whatever encryption is used on the opposite end*    
set replay enable    
set use-natip disable  
next
end
config firewall policy  
edit 9    
set srcintf internal *firewall Interal LAN interface*    
set dstintf wan1 *firewall external WAN interface*    
set srcaddr "Internal Range" *Group created to specify internal subnet needing to traverse VPN*    
set dstaddr "VPN Destination Subnets" *Group created of Firewall Addresses from subnets on remote VPN side*    
set action ipsec *Encrpyts the traffic across the VPN Tunnel*    
set schedule always    
set service ANY *Can be Specific*    
set natip X.X.X.X 255.255.255.255 *Replace X.X.X.X with valid IP Address*    
set inbound enable    
set outbound enable    
set natoutbound enable    
set vpntunnel "Phase 1 VPN Name"  
next
end

We hope this helps you!

 

Did you like this? Share it:

Tags: , , , ,

«
»

Comments are closed.