I have a situation where I have two Fortigates behind ISP devices that hand out private IPs (192.168.168.x) to each Fortigate on their WAN1 ports. Unfortunately I am unable to put the ISP devices into Passthrough mode so the Fortigates can obtain a public IP. Is there a way I can still setup an IPsec tunnel between the two Fortigates? Will I have to port forward any protocols, if so which ones? Thanks.
If you can port forward, port forward 500 and 4500. It likely won’t let you forward ESP (IP proto 51) but 4500 will be sufficient for data transfer. Newer versions of FortiOS allow for negotiation to start on 4500 IIRC, otherwise 500 is needed as well for the first 1 or two packets until NAT-T is negotiated.
Otherwise you’ll need a third point of some sort. Do you have FGTs elsewhere you can utilize?
On the forrigates dashboard you can see the external ip assigned
you can also try with ddns…
Ocvpn might be what you need
Nat t and port forward from ISP devices
If you can redirect udp/500 & udp/4500 on the router that hosts the puclic IP, you should be fine.
Would I need to forward both UDP and TCP on 500 and 4500? I actually do have other FGTs I could utilize… what do you have in mind?
Use ddns instead of public IP with port forwarding and nat-t , i don’t try it but this my thinking ,please give me your opinion
Since it’s private IP on both sides any traffic directed to that WAN IP will not reach FGT.
Yep I know what the public IP addresses are but those are assign to the ISP equipment. Seems like NAT and port forwarding would be needed for the tunnel phases.
This seems like a viable option but the hub and spoke model won’t work with a free license and I’d like to test before paying for licensing.
I gave the OCVPN a try with a free license just to see if it would work. Does it take time for the tunnel to establish via the cloud? So far it’s been about 30mins and the ocvpn tunnel is not yet up.
You only need UDP 500 and UDP 4500. You don’t need any TCP ports.
UDP port 4500 is used to encapsulate the IPsec ESP (IP proto 51) packets when they detect NAT-T (NAT traversal). They do it automatically.
UDP 500 and 4500. Apologies for not specifying.
If you have other places and will need tunnels to them, you might as well look into ADVPN. They implemented NAT hole punching for spoke-to-spoke dynamic tunnels to establish even if they’re both behind NAT.
That’s so wild. Have you spoken to the ISP about this?
Don’t rely on it, or don’t structure too hard with OCVPN… Might be some changes soon.
Contact a forti sales Rep. If you need to test for a legit need they will issue 30 day trial licenses normally
No it should happen pretty much right away.
To be honest I’ve never used it, only seen videos. Not going to be helpful troubleshooting
Yeah, unfortunately I’m hindered by budget. We could get the ISP to allow passthrough but it would up our monthly costs. Trying to figure out a no-cost solution for the moment. :-/
I have never heard of ISP doing that before. That’s weird