IPsec VPN with Public IP Subnet’s on a FortiGate

June 23rd, 20152 min read
Share to Twitter
Share to Facebook
Share to Linkedin
Share to Pocket
Copy URL address

I recently came across a requirement where I had to create a site-to-site IPsec VPN, this is usually not an issue, set your Phase 1 and Phase 2 settings, apply your policies and you are good to go, but the difference this time was those local and remote subnets were Public IP addresses.\ The Public IP address our side was also being used as a VIP

Below I will document the steps in getting this working – the issue I had was where I put my policies, and not enabling NAT on the outgoing policy!

#Create your IPsec tunnel;

FortiGate GUI > VPN > IPsec > Tunnels > Create New

  • Set your name and chose your template. I used “Custom VPN Tunnel (No Template)”

  • Fill in your Phase1 settings

  • Fill in your Phase2 settings;

    • Local Subnet – this will be your Public IP/Range
    • Remote Subnet – this will be their Public IP/Range

  • Press OK to create the tunnel

#Add in your new route;

FortiGate GUI > Router > Static Routes > Create New

  • Destination IP/Mask – this will be the Remote Subnet you entered for your Phase2
  • Device – this will be the tunnel you have just created
  • Change any of the other settings if you need to
  • OK to add the new route

#Create an IP Pool;

FortiGate GUI > Policy & Objects > Objects > IP Pools > Create New

  • Add a name and comments if required, and set the type (I am using Overload)
  • External IP Range = the range you set for Local Subnet
  • Ok to create the IP Pool

#Create your policies;

FortiGate GUI > Policy & Objects > Policy > IPv4 > Create New

Outgoing

  • Incoming Interface = The internal interface where your server exists
  • Source Address = An object with the internal IP address of your server
  • Outgoing Interface = The tunnel you just made
  • Destination Address = An object with the remote Public IP range
  • Apply any Schedules and Service restrictions and Action = Accept

You now need to enable NAT, this is the bit I missed at first;

  • NAT = On
  • Use Dynamic IP Pool = Select the pool you made in the previous step
  • Add any other settings and then OK to create your first policy

Incoming

  • Create the second policy for Tunnel to Internal
  • Incoming Interface = The tunnel you just made
  • Source Address = An object with the remote Public IP range
  • Outgoing Interface = The internal interface where your server exists
  • Destination Address = The VIP that belongs to the internal server (same as the IP Pool address)
  • Apply any Schedules and Service restrictions and Action = Accept

On this policy you do not need NAT

  • NAT = Off
  • Add any other settings and then OK to create your first policy

Check to see if your Tunnel is Up and try sending some traffic down it\ FortiGate GUI > VPN > Monitor > IPsec Monitor

outgoing

incoming

development
Share to Twitter
Share to Facebook
Share to Linkedin
Share to Pocket
Copy URL address
FortiManager Disable SSLv3
Disable SSLv3 on FortiGate GUI and SSL VPN
Written by

Sam Perrin@samperrin

Automation Consultant, currently working at Xtravirt. Interested in all things automation/devops related.

Related Posts

Tanzu Community Edition - Azure Cluster

This post runs through the deployment of Tanzu Community Edition onto Azure - we will look at creating a Management Cluster, a Workload Cluster and the deployment of a demo application.

developmentkubernetes

February 10th, 20224 min read

Tanzu Community Edition - Tips and Concepts

Tanzu Community Edition is a full-featured, easy to manage Kubernetes platform, this post covers some tips and concepts for TCE.

kubernetesdevelopmentvmware

February 2nd, 20222 min read

Custom Naming in vRA8

vRealize Automation 8 provides various levels and methods of applying custom naming to deployed virtual machine resources. This article explores these options.

automationdevelopmentvravmware

July 14th, 20213 min read