Thursday, 5 October 2017

Fortigate Policy based IPSEC

How to NAT traffic over policy based IPSEC VPN

http://kb.fortinet.com/kb/viewContent.do?externalId=FD33638

Env:
PC>>HQ  Fortigate 1000C>>IPSEC VPN>>Site 1Fortigate300C>>Some service

It has been one of those weeks where I've been scratching my head for a week to set some new service on the corporate firewall.

On first glance it looks straight forward but the traffic is supposed to exit on different to the default Internet traffic interface.

Step1
- Set up the VPN between the HQ and Site 1 and add P2 ranges
- Ensure that Policy has : #set inbound en |  #set outbound en
Result: I could see the traffic from Site1 fortigate entering the IPSEC VPN to HQ FG

diagnose debug disable
diagnose debug reset
diagnose debug flow show console enable
diagnose debug flow filter addr 10.10.10.10
diagnose debug flow trace start 100
diagnose debug console timestamp enable
diagnose debug enable

Step 2
- now the issue here was the interesting traffic from the vpn was being drop by policy 0( no match)
To get around this I created new policy for all traffic that is coming from the remote destination to the Site1 remote network and set it to use the IPSEC tunnel to the remote site I set up earlier.
Traffic is allowed to be initiated from the remote end on the tunnel.
Now the crucial part here was to make sure that NAT is enabled for that particular policy:
#conf fir pol
#edit 1234
#set natinbound en
#set outbound dis
#set natip 90.90.90.90 255.255.55.255 (IP of the gw the traffic will be coming from the remote party)

.. and that did the trick

No comments:

Post a Comment