IPSec set up IPSec
Auto Routing Filter Local endpoint (Site A) Remote endpoint (Site B)
Service
Any Any
Routing Policy
IPSec_WAN1 IPSec_WAN1
Fail-Over Policy
NO-ACTION NO-ACTION
IPSec Phase 2 Quick Mode selector controls the IPSec availability to specified users (the source, destination and
service of packets); before that, it requires the Auto Routing filter to direct the packets to the correct WAN link (Routing
Policy). Make sure the Auto Routing filter and Phase 2 Quick Mode selector are equal on Source, Destination and
Service. For the details of Auto Routing, see "Auto Routing". Although Auto Routing provides fail-over policy to redirect
packets to another WAN link when a failure occurs, it is unable to achieve the fail-over for IPSec Tunnel mode since
the same Quick Mode selector cannot be applied to different IPSec SAs.
Define NAT policies for IKE negotiation and IPSec communication packets
NAT default rules translate the source addresses of packets come from the private subnet (LAN) behind FortiWAN
after Auto Routing determines a WAN link for them. In IPSec VPN Tunnel mode, Packets of communications usually
come from LAN subnet of FortiWAN and are evaluated with NAT rule before Phase 2 Quick Mode selector. If the
source address of a IPSec packet is translated to another by NAT, the packet fails in matching the Quick Mode selector
and the IPSec communication goes to failure.
For IKE negotiation packets
IKE negotiation packets are generated on FortiWAN's localhost. The source of a IKE packet is the Local IP (IP address
on the WAN port) of the Phase 1, which will not be translated by NAT. Therefore, a NAT policy is not required for IKE
negotiations.
For IPSec communication packets
By default, all the packets will be processed by NAT once Auto Routing determines a WAN link to the packets.
However, IPSec VPN communication will go to failure if source IP address of the packets are translated (mismatching
the Quick Mode selectors). To disable NAT for the packets:
1. Go to Service > NAT
2.
From the drop down menu WAN, select the WAN link used as the local interface of the IPsec VPN tunnel.
3.
Add a rule to NAT Rules to disable NAT translation for the packetsdefinition of the Quick Mode selector:
NAT Rule Local endpoint (Site A) Remote endpoint (Site B)
When
All-Time All-Time
Source
192.168.10.0/255.255.255.0 192.168.100.0/255.255.255.0
Destination
192.168.100.0/255.255.255.0 192.168.10.0/255.255.255.0
Service
Any Any
Translated
No NAT No NAT
FortiWAN Handbook
Fortinet Technologies Inc.
201
To Next Page
Loading...
