Using the backhaul IP when the FortiGate access controller is behind NAT
When the FortiGate LAN extension controller is behind a NAT device, remote thin edge FortiExtenders must connect to the FortiGate through a backhaul address. This is an address on the upstream NAT device that forwards traffic to the FortiGate. It can be configured as an IP or FQDN in the FortiGate extender profile.
When the default IKE port 500 is inaccessible, you can configure a custom IKE port on the FortiExtender and the FortiGate.
This topic contains four configuration examples:
- Configuring an IP as a backhaul address in the FortiGate extender profile
- Configuring an FQDN as a backhaul address in the FortiGate extender profile
- Configuring the IKE port on FortiExtender when NAT traversal is enabled in the FortiGate IPsec tunnel settings
- Configuring the IKE port on FortiExtender when NAT traversal is disabled in the FortiGate IPsec tunnel settings
Examples
The following topology is used for the first three examples and assumes that the FortiExtender has already been discovered (see Introduce LAN extension mode for FortiExtender for more information).
Configuring an IP as a backhaul address in the FortiGate extender profile
To configure an IP as a backhaul address in the GUI:
- Edit the LAN extension profile:
- Go to Network > FortiExtenders, select the Profiles tab, and edit the default LAN extension profile (FX211E-lanext-default).
- In the LAN extension section, set the IPsec interface IP/FQDN to 10.10.10.3.
- Click OK.
- Authorize the FortiExtender:
- Go to Network > FortiExtenders, select the Managed FortiExtenders tab, and edit the discovered FortiExtender.
- In the Status section, enable Authorized.
- Click OK.
In FortiExtender, the VPN Tunnels page displays the IPsec tunnel le-uplink-wan as up. The Remote Gateway is set to 10.10.10.3.
To configure an IP as a backhaul address in the CLI:
- Configure the backhaul IP address:
config extension-controller extender-profile edit "FX211E-lanext-default" set id 1 set model FX211E set extension lan-extension config cellular config sms-notification end config modem1 end end config lan-extension set ipsec-tunnel "fext-ipsec-bwyt" set backhaul-interface "port1" set backhaul-ip "10.10.10.3" config backhaul edit "1" set port wan set role primary next edit "2" set port lte1 set role secondary next end end next end
- Verify the configuration in FortiExtender:
config vpn ipsec phase1-interface edit le-uplink-wan set ike-version 2 set keylife 86400 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set dhgrp 14 5 set interface wan set type static set remote-gw 10.10.10.3 set authmethod psk set psksecret ************ set localid peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX set peerid localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t set add-gw-route enable set dev-id-notification disable next end
Configuring an FQDN as a backhaul address in the FortiGate extender profile
To configure an FQDN as a backhaul address in the GUI:
- Edit the LAN extension profile:
- Go to Network > FortiExtenders, select the Profiles tab, and edit the default LAN extension profile (FX211E-lanext-default).
- In the LAN extension section, set the IPsec interface IP/FQDN to fgt3200d.qatest.com.
- Click OK.
- Authorize the FortiExtender:
- Go to Network > FortiExtenders, select the Managed FortiExtenders tab, and edit the discovered FortiExtender.
- In the Status section, enable Authorized.
- Click OK.
In FortiExtender, the VPN Tunnels page displays the IPsec tunnel le-uplink-wan as up. The Remote Gateway is set to fgt3200d.qatest.com.
To configure an FQDN as a backhaul address in the CLI:
- Configure the backhaul IP address:
config extension-controller extender-profile edit "FX211E-lanext-default" set id 1 set model FX211E set extension lan-extension config cellular config sms-notification end config modem1 end end config lan-extension set ipsec-tunnel "fext-ipsec-bwyt" set backhaul-interface "port1" set backhaul-ip "fgt3200d.qatest.com" config backhaul edit "1" set port wan set role primary next edit "2" set port lte1 set role secondary next end end next end
- Verify the configuration in FortiExtender:
config vpn ipsec phase1-interface edit le-uplink-wan set ike-version 2 set keylife 86400 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set dhgrp 14 5 set interface wan set type ddns set remotegw-ddns fgt3200d.qatest.com set authmethod psk set psksecret ************ set localid peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX set peerid localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t set add-gw-route enable set dev-id-notification disable next end
Configuring the IKE port on the FortiExtender when NAT traversal is enabled in the FortiGate IPsec tunnel settings
To configure the IKE port on FortiExtender when NAT traversal is enabled:
- Set the IKE port on the FortiGate:
config system settings set ike-port 6000 end
- Set the IKE port on the FortiExtender:
config system settings set ike-port 6000 end
- Start a packet capture on the FG-200E's port11 with the filter set to UDP protocol and port 4500 or 6000.
- Terminate the IPsec VPN tunnel in FortiExtender:
~ # swanctl -t -i le-uplink-wan [IKE] deleting IKE_SA le-uplink-wan[5] between 10.10.10.2[peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX]...10.10.10.3[localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t] [IKE] sending DELETE for IKE_SA le-uplink-wan[5] [ENC] generating INFORMATIONAL request 2 [ D ] [NET] sending packet: from 10.10.10.2[4500] to 10.10.10.3[6000] (80 bytes) [NET] received packet: from 10.10.10.3[6000] to 10.10.10.2[4500] (80 bytes) [ENC] parsed INFORMATIONAL response 2 [ ] [IKE] IKE_SA deleted terminate completed successfully
- Verify the packet capture on the FG-200E. During the tunnel setup, the first packet from the FortiExtender has the source port set to 6000, but it changes to 4500. This is because FortiExtender only supports Port 4500 when NAT traversal is enabled:
# diagnose sniffer packet port11 'udp and port 4500 or port 6000' 4 interfaces=[port11] filters=[udp and port 4500 or port 6000] ... 24.064847 port11 -- 10.10.10.2.6000 -> 10.10.10.3.6000: udp 936 24.065929 port11 -- 10.10.10.3.6000 -> 10.10.10.2.6000: udp 428 24.119178 port11 -- 10.10.10.2.4500 -> 10.10.10.3.6000: udp 612 24.120272 port11 -- 10.10.10.3.6000 -> 10.10.10.2.4500: udp 276
- Verify the IPsec tunnel status on the FortiExtender to confirm that Port 4500 is used:
~ # swanctl -l le-uplink-wan: #3, ESTABLISHED, IKEv2, 1fbb2997d6a5afc7_i* 5d500758882339f4_r local 'peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX' @ 10.10.10.2[4500] remote 'localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t' @ 10.10.10.3[6000] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 90s ago, rekeying in 85289s le-uplink-wan: #3, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96 installed 90s ago, rekeying in 38952s, expires in 47430s in c3406a5a (0x00000005), 1512 bytes, 18 packets, 2s ago out 7d17257c (0x00000005), 8000 bytes, 52 packets, 2s ago local 10.252.8.2/32 remote 10.252.8.1/32
NAT traversal has the default value enabled in the FortiGate IPsec tunnel settings, and it is not recommended to change any IPsec tunnel configurations even if there is a NAT server between the FortiExtender and the FortiGate access controller. The IPsec tunnel always uses Port 4500 for NAT traversal. |
Configuring the IKE port on FortiExtender when NAT traversal is disabled in the FortiGate IPsec tunnel settings
NAT traversal is enabled by default in the FortiGate IPsec tunnel setting and it cannot be changed in the GUI. If NAT traversal is disabled, the IPsec tunnel can use a custom IKE port (port 6300 in this example).
To configure the IKE port on FortiExtender when NAT traversal is disabled:
- Set the IKE port on the FortiGate:
config system settings set ike-port 6300 end
- Set the IKE port on the FortiExtender:
config system settings set ike-port 6300 end
- Verify the IPsec tunnel status on the FortiExtender to confirm that port 6300 is used:
~ # swanctl -l le-uplink-wan: #2, ESTABLISHED, IKEv2, 14a9fe5800b9d0b9_i* 9dd465f634ed9abd_r local 'peerid-aRuaScJBVVJ1DWKrrKcY8VcHF8Vg6cgLQkpEtdzDRpRTVvapxdeeJoiO' @ 10.10.10.2[6300] remote 'localid-dCcVF2kc5PWVuKbNvWEoBlm332ik5dz1jtRqxfaxxiH4G7y5wLDAPcN' @ 10.10.10.1[6300] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 3606s ago, rekeying in 82066s le-uplink-wan: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96 installed 3606s ago, rekeying in 37205s, expires in 43914s in c3ae8beb (0x00000003), 60564 bytes, 721 packets, 1s ago out d0d92a63 (0x00000003), 343410 bytes, 2365 packets, 1s ago local 10.252.8.2/32 remote 10.252.8.1/32