Id=20085 trace_id=239 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-FW1-FW2_VPN" Id=20085 trace_id=239 func=fw_forward_handler line=697 msg="Allowed by Policy-8: SNAT" Now we are trying to accomplish the following project (see attached picture): From ISP1, the incoming HTTPS packets to FW1 should travel across the VPN to the server on the opposit site, called 'beta'. JVC receivers have always offered lots of great features at down-to-earth prices, and their slim RX-D206B is no exception. Id=20085 trace_id=239 func=vf_ip_route_input_common line=2586 msg="find a route: flag=00000000 gw-10.1.1.6 via FW1-FW2_VPN" DNAT over IPSec-VPN Tunnel Hi folks, we are using some Fortinet products since we find them great. Id=20085 trace_id=239 func=init_ip_session_common line=4944 msg="allocate a new session-004dba41" Is there a possibility to configure this behaviour in a correct way, since it is not running like expected. Using the internal debug flow function, we can log some "SNAT" records which belong to the DMZ IP-address (10.10.10.1).? Fortigate is using the wrong src-address. In the second case, using the same approach (with a "virtual IP" from the remote subnet) is not working. this will be like a "external failover" mechanism.
So, the packets should be "cross-routed".
What should work (DNAT crossing the VPN tunnel to the other side):Ĭlient connects from the Internet over the external IP 1.1.1.1, on port 8080 (HTTPS), and is DNAT to 192.168.1.2:8080 What works for now (DNAT without crossing the VPN tunnel):Ĭlient connects from the Internet over the external IP 1.1.1.1, on port 443 (HTTPS), and is DNAT to 192.168.0.2:443 So we have to DNAT incoming HTTPS packet from 1.1.1.1 to 192.168.1.2. Now we are trying to accomplish the following project (see attached picture):įrom ISP1, the incoming HTTPS packets to FW1 should travel across the VPN to the server on the opposit site, called "beta". We are using some Fortinet products since we find them great.