For IPSec communication packets
By default, all the packets will be processed by NAT once Auto Routing determines a WAN link to the packets. However, IPSec VPN communication will go to failure if source IP address of the packets are translated (mismatching the Quick Mode selectors). To disable NAT for the packets:
1. Go to Service > NAT
- From the drop down menu WAN, select the WAN link used as the local interface of the IPsec VPN tunnel.
- Add a rule to NAT Rules to disable NAT translation for the packetsdefinition of the Quick Mode selector:
NAT Rule | Local endpoint (Site A) | Remote endpoint (Site B) | ||
When | All-Time | All-Time | ||
Source | 192.168.10.0/255.255.255.0 | 192.168.100.0/255.255.255.0 | ||
Destination | 192.168.100.0/255.255.255.0 | 192.168.10.0/255.255.255.0 | ||
NAT Rule | Local endpoint (Site A) | Remote endpoint (Site B) | ||
Service | Any | Any | ||
Translated | No NAT | No NAT | ||
Make sure the NAT rule and Phase 2 Quick Mode selector are equal on Source, Destination and Service. For the details of NAT, see “NAT”.
Define IPSec parameters
Go to Service > IPSec
Add Phase 1 configurations for the IPSec tunnel mode VPN between site A’s WAN 1 (10.10.10.10) and site B’s WAN 1 (20.20.20.20). The other parameters are not listed here.
Phase 1 | Local endpoint (Site A) | Remote endpoint (Site B) |
Name | WAN1_WAN1_Phase1 | WAN1_WAN1_Phase1 |
Local IP | 10.10.10.10 | 20.20.20.20 |
Remote IP | 20.20.20.20 | 10.10.10.10 |
Add Phase 2 configurations for the IPSec tunnel mode VPN between site A ‘s WAN 1 (10.10.10.10) and site B’s WAN 1 (20.20.20.20). The other parameters are not listed here.
Phase 2 | Local endpoint (Site A) | Remote endpoint (Site B) |
Name | WAN1_WAN1_Phase2 | WAN1_WAN1_Phase2 |
Quick Mode | ||
Source | 192.168.10.0/255.255.255.0 | 192.168.100.0/255.255.255.0 |
Source Port | Any | Any |
Destination | 192.168.100.0/255.255.255.0 | 192.168.10.0/255.255.255.0 |
Destination Port | Any | Any |
Protocol | Any | Any |
For the details of IPSec configuration, see “IPSec VPN in the Web UI”.
Procedures to set up a IPSec Tunnel-mode VPN
To set up a IPSec Tunnel-mode VPN, we suggest the steps to follow as below:
- Configure Network Settings on both units.
- Define correspondent Auto Routing and NAT policies on both units.
- Configure the settings of IPSec Tunnel mode Phase 1 and Phase 2 on both units.
Define Auto Routing and Tunnel Routing policies for an Tunnel Routing over IPSec Transport mode VPN
As previous descriptions, IPSec Transport mode provides secure data transmission without IP tunneling (IP encapsulation). However, IPSec Transport mode can give protections to FortiWAN’s Tunnel Routing, which brings a securer (compare to the original TR) and more efficient (compare to the “IPsec Tunnel mode VPN” on load balancing and fault tolerance) VPN application. Tunnel Routing distributes the encapsulated (GRE) packets over multiple tunnels (pairs of local WAN port and remote WAN port). With the IPSec SAs established on these TR tunnels, GRE packets will be protected (encrypted/decrypted) by correspondent SA when they pass through a TR tunnel (the local and remote WAN ports). Transport-mode IPSec SAs are required for each of Tunnel Routing’s GRE tunnels to associate Tunnel Routing with IPSec.
Example topology for the following policies
IPSec Transport mode protects the communications between private networks behind two FortiWAN units through two TR tunnels. For this example topology, we need to have configurations of Network Setting, Auto Routing, IPSec and Tunnel Routing as follows:
Network Setting
Network Setting on the local side:
WAN settings Go to System > Network Setting > WAN Setting
WAN Setting | Local endpoint (Site A) | Local endpoint (Site A) | Remote endpoint (Site B) | Remote endpoint (Site B) |
WAN Link | 1 | 2 | 1 | 2 |
WAN Type | Routing Mode | Routing Mode | Routing Mode | Routing Mode |
WAN Port | Port1 | Port2 | Port1 | Port2 |
IPv4
Localhost IP |
10.10.10.10 | 11.11.11.11 | 20.20.20.20 | 21.21.21.21 |
IPv4
Netmask |
255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
IPv4 Default Gateway | 10.10.10.254 | 11.11.11.254 | 20.20.20.254 | 21.21.21.254 |
For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.
LAN private subnets Go to System > Network Setting > LAN Private Subnet
LAN Private Subnet | Local endpoint (Site A) | Remote endpoint (Site B) |
IP(s) on Localhost | 192.168.10.254 | 192.168.100.254 |
Netmask | 255.255.255.0 | 255.255.255.0 |
LAN Port | Port3 | Port3 |
For the details of LAN private subnet setting, see “LAN Private Subnet”.