It’s fairly common for two enterprises to temporarily connect their private data networks to each other for business purposes. It’s actually pretty easy to do, especially when the main purpose of the connection is for one side to access resources on the other.
However, over the past weeks we struggled a bit with a Fortinet firewall to connect to a Site-to-Site IPSec VPN. Because in this case, we wanted to NAT all traffic destined for the distant network, and to have it appear to come from a valid address.
All knowledge base articles we could find only showed NATing internal addresses. Ultimately, the fix was to run the following lines from the Fortinet CLI (interestingly, no static/policy routes need to be added to the firewall):
config vpn ipsec phase1 edit "Phase 1 VPN Name" set interface *firewall external WAN interface* set nattraversal enable set proposal aes-md5 *or whatever encryption is used on the opposite end* set psksecret *Decided upon key* set remote-gw *IP Address of Remote Device* next end config vpn ipsec phase2 edit "Phase 2 VPN Name" set keepalive enable set pfs enable set phase1name "Phase 1 VPN Name" set proposal aes-md5 *or whatever encryption is used on the opposite end* set replay enable set use-natip disable next end config firewall policy edit 9 set srcintf internal *firewall Interal LAN interface* set dstintf wan1 *firewall external WAN interface* set srcaddr "Internal Range" *Group created to specify internal subnet needing to traverse VPN* set dstaddr "VPN Destination Subnets" *Group created of Firewall Addresses from subnets on remote VPN side* set action ipsec *Encrpyts the traffic across the VPN Tunnel* set schedule always set service ANY *Can be Specific* set natip X.X.X.X 255.255.255.255 *Replace X.X.X.X with valid IP Address* set inbound enable set outbound enable set natoutbound enable set vpntunnel "Phase 1 VPN Name" next end
We hope this helps you!