Fortinet white logo
Fortinet white logo

Admin Guide (FGT-Managed)

Using the backhaul IP when the FortiGate access controller is behind NAT

Using the backhaul IP when the FortiGate access controller is behind NAT

When the FortiGate LAN extension controller is behind a NAT device, remote thin edge FortiExtenders must connect to the FortiGate through a backhaul address. This is an address on the upstream NAT device that forwards traffic to the FortiGate. It can be configured as an IP or FQDN in the FortiGate extender profile.

When the default IKE port 500 is inaccessible, you can configure a custom IKE port on the FortiExtender and the FortiGate.

This topic contains four configuration examples:

Examples

The following topology is used for the first three examples and assumes that the FortiExtender has already been discovered (see Introduce LAN extension mode for FortiExtender for more information).

Configuring an IP as a backhaul address in the FortiGate extender profile

To configure an IP as a backhaul address in the GUI:
  1. Edit the LAN extension profile:
    1. Go to Network > FortiExtenders, select the Profiles tab, and edit the default LAN extension profile (FX211E-lanext-default).
    2. In the LAN extension section, set the IPsec interface IP/FQDN to 10.10.10.3.

    3. Click OK.
  2. Authorize the FortiExtender:
    1. Go to Network > FortiExtenders, select the Managed FortiExtenders tab, and edit the discovered FortiExtender.
    2. In the Status section, enable Authorized.
    3. Click OK.

      In FortiExtender, the VPN Tunnels page displays the IPsec tunnel le-uplink-wan as up. The Remote Gateway is set to 10.10.10.3.

To configure an IP as a backhaul address in the CLI:
  1. Configure the backhaul IP address:
    config extension-controller extender-profile
        edit "FX211E-lanext-default"
            set id 1
            set model FX211E
            set extension lan-extension
            config cellular
                config sms-notification
                end
                config modem1
                end
            end
            config lan-extension
                set ipsec-tunnel "fext-ipsec-bwyt"
                set backhaul-interface "port1"
                set backhaul-ip "10.10.10.3"
                config backhaul
                    edit "1"
                        set port wan
                        set role primary
                    next
                    edit "2"
                        set port lte1
                        set role secondary
                    next
                end
            end
        next
    end
  2. Verify the configuration in FortiExtender:
    config vpn ipsec phase1-interface
        edit le-uplink-wan
            set ike-version 2
            set keylife 86400
            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
            set dhgrp 14 5
            set interface wan
            set type static
            set remote-gw 10.10.10.3
            set authmethod psk
            set psksecret ************
            set localid peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX
            set peerid localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t
            set add-gw-route enable
            set dev-id-notification disable
        next
    end

Configuring an FQDN as a backhaul address in the FortiGate extender profile

To configure an FQDN as a backhaul address in the GUI:
  1. Edit the LAN extension profile:
    1. Go to Network > FortiExtenders, select the Profiles tab, and edit the default LAN extension profile (FX211E-lanext-default).
    2. In the LAN extension section, set the IPsec interface IP/FQDN to fgt3200d.qatest.com.

    3. Click OK.
  2. Authorize the FortiExtender:
    1. Go to Network > FortiExtenders, select the Managed FortiExtenders tab, and edit the discovered FortiExtender.
    2. In the Status section, enable Authorized.
    3. Click OK.

      In FortiExtender, the VPN Tunnels page displays the IPsec tunnel le-uplink-wan as up. The Remote Gateway is set to fgt3200d.qatest.com.

To configure an FQDN as a backhaul address in the CLI:
  1. Configure the backhaul IP address:
    config extension-controller extender-profile
        edit "FX211E-lanext-default"
            set id 1
            set model FX211E
            set extension lan-extension
            config cellular
                config sms-notification
                end
                config modem1
                end
            end
            config lan-extension
                set ipsec-tunnel "fext-ipsec-bwyt"
                set backhaul-interface "port1"
                set backhaul-ip "fgt3200d.qatest.com"
                config backhaul
                    edit "1"
                        set port wan
                        set role primary
                    next
                    edit "2"
                        set port lte1
                        set role secondary
                    next
                end
            end
        next
    end
  2. Verify the configuration in FortiExtender:
    config vpn ipsec phase1-interface
        edit le-uplink-wan
            set ike-version 2
            set keylife 86400
            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
            set dhgrp 14 5
            set interface wan
            set type ddns
            set remotegw-ddns fgt3200d.qatest.com
            set authmethod psk
            set psksecret ************
            set localid peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX
            set peerid localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t
            set add-gw-route enable
            set dev-id-notification disable
        next
    end

Configuring the IKE port on the FortiExtender when NAT traversal is enabled in the FortiGate IPsec tunnel settings

To configure the IKE port on FortiExtender when NAT traversal is enabled:
  1. Set the IKE port on the FortiGate:
    config system settings
        set ike-port 6000
    end
  2. Set the IKE port on the FortiExtender:
    config system settings
        set ike-port 6000
    end
  3. Start a packet capture on the FG-200E's port11 with the filter set to UDP protocol and port 4500 or 6000.
  4. Terminate the IPsec VPN tunnel in FortiExtender:
    ~ # swanctl -t -i le-uplink-wan
    [IKE] deleting IKE_SA le-uplink-wan[5] between 10.10.10.2[peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX]...10.10.10.3[localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t]
    [IKE] sending DELETE for IKE_SA le-uplink-wan[5]
    [ENC] generating INFORMATIONAL request 2 [ D ]
    [NET] sending packet: from 10.10.10.2[4500] to 10.10.10.3[6000] (80 bytes)
    [NET] received packet: from 10.10.10.3[6000] to 10.10.10.2[4500] (80 bytes)
    [ENC] parsed INFORMATIONAL response 2 [ ]
    [IKE] IKE_SA deleted
    terminate completed successfully
  5. Verify the packet capture on the FG-200E. During the tunnel setup, the first packet from the FortiExtender has the source port set to 6000, but it changes to 4500. This is because FortiExtender only supports Port 4500 when NAT traversal is enabled:
    # diagnose sniffer packet port11 'udp and port 4500 or port 6000' 4
    interfaces=[port11]
    filters=[udp and port 4500 or port 6000]
    ...
    24.064847 port11 -- 10.10.10.2.6000 -> 10.10.10.3.6000: udp 936
    24.065929 port11 -- 10.10.10.3.6000 -> 10.10.10.2.6000: udp 428
    
    24.119178 port11 -- 10.10.10.2.4500 -> 10.10.10.3.6000: udp 612
    24.120272 port11 -- 10.10.10.3.6000 -> 10.10.10.2.4500: udp 276
  6. Verify the IPsec tunnel status on the FortiExtender to confirm that Port 4500 is used:
    ~ # swanctl -l
    le-uplink-wan: #3, ESTABLISHED, IKEv2, 1fbb2997d6a5afc7_i* 5d500758882339f4_r
      local  'peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX' @ 10.10.10.2[4500]
      remote 'localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t' @ 10.10.10.3[6000]
      AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      established 90s ago, rekeying in 85289s
      le-uplink-wan: #3, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
        installed 90s ago, rekeying in 38952s, expires in 47430s
        in  c3406a5a (0x00000005),   1512 bytes,    18 packets,     2s ago
        out 7d17257c (0x00000005),   8000 bytes,    52 packets,     2s ago
        local  10.252.8.2/32
        remote 10.252.8.1/32
Note

NAT traversal has the default value enabled in the FortiGate IPsec tunnel settings, and it is not recommended to change any IPsec tunnel configurations even if there is a NAT server between the FortiExtender and the FortiGate access controller. The IPsec tunnel always uses Port 4500 for NAT traversal.

Configuring the IKE port on FortiExtender when NAT traversal is disabled in the FortiGate IPsec tunnel settings

NAT traversal is enabled by default in the FortiGate IPsec tunnel setting and it cannot be changed in the GUI. If NAT traversal is disabled, the IPsec tunnel can use a custom IKE port (port 6300 in this example).

To configure the IKE port on FortiExtender when NAT traversal is disabled:
  1. Set the IKE port on the FortiGate:
    config system settings
        set ike-port 6300
    end
  2. Set the IKE port on the FortiExtender:
    config system settings
        set ike-port 6300
    end
  3. Verify the IPsec tunnel status on the FortiExtender to confirm that port 6300 is used:
    ~ # swanctl -l
    le-uplink-wan: #2, ESTABLISHED, IKEv2, 14a9fe5800b9d0b9_i* 9dd465f634ed9abd_r
      local  'peerid-aRuaScJBVVJ1DWKrrKcY8VcHF8Vg6cgLQkpEtdzDRpRTVvapxdeeJoiO' @ 10.10.10.2[6300]
      remote 'localid-dCcVF2kc5PWVuKbNvWEoBlm332ik5dz1jtRqxfaxxiH4G7y5wLDAPcN' @ 10.10.10.1[6300]
      AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      established 3606s ago, rekeying in 82066s
      le-uplink-wan: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
        installed 3606s ago, rekeying in 37205s, expires in 43914s
        in  c3ae8beb (0x00000003),  60564 bytes,   721 packets,     1s ago
        out d0d92a63 (0x00000003), 343410 bytes,  2365 packets,     1s ago
        local  10.252.8.2/32
        remote 10.252.8.1/32

Using the backhaul IP when the FortiGate access controller is behind NAT

Using the backhaul IP when the FortiGate access controller is behind NAT

When the FortiGate LAN extension controller is behind a NAT device, remote thin edge FortiExtenders must connect to the FortiGate through a backhaul address. This is an address on the upstream NAT device that forwards traffic to the FortiGate. It can be configured as an IP or FQDN in the FortiGate extender profile.

When the default IKE port 500 is inaccessible, you can configure a custom IKE port on the FortiExtender and the FortiGate.

This topic contains four configuration examples:

Examples

The following topology is used for the first three examples and assumes that the FortiExtender has already been discovered (see Introduce LAN extension mode for FortiExtender for more information).

Configuring an IP as a backhaul address in the FortiGate extender profile

To configure an IP as a backhaul address in the GUI:
  1. Edit the LAN extension profile:
    1. Go to Network > FortiExtenders, select the Profiles tab, and edit the default LAN extension profile (FX211E-lanext-default).
    2. In the LAN extension section, set the IPsec interface IP/FQDN to 10.10.10.3.

    3. Click OK.
  2. Authorize the FortiExtender:
    1. Go to Network > FortiExtenders, select the Managed FortiExtenders tab, and edit the discovered FortiExtender.
    2. In the Status section, enable Authorized.
    3. Click OK.

      In FortiExtender, the VPN Tunnels page displays the IPsec tunnel le-uplink-wan as up. The Remote Gateway is set to 10.10.10.3.

To configure an IP as a backhaul address in the CLI:
  1. Configure the backhaul IP address:
    config extension-controller extender-profile
        edit "FX211E-lanext-default"
            set id 1
            set model FX211E
            set extension lan-extension
            config cellular
                config sms-notification
                end
                config modem1
                end
            end
            config lan-extension
                set ipsec-tunnel "fext-ipsec-bwyt"
                set backhaul-interface "port1"
                set backhaul-ip "10.10.10.3"
                config backhaul
                    edit "1"
                        set port wan
                        set role primary
                    next
                    edit "2"
                        set port lte1
                        set role secondary
                    next
                end
            end
        next
    end
  2. Verify the configuration in FortiExtender:
    config vpn ipsec phase1-interface
        edit le-uplink-wan
            set ike-version 2
            set keylife 86400
            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
            set dhgrp 14 5
            set interface wan
            set type static
            set remote-gw 10.10.10.3
            set authmethod psk
            set psksecret ************
            set localid peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX
            set peerid localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t
            set add-gw-route enable
            set dev-id-notification disable
        next
    end

Configuring an FQDN as a backhaul address in the FortiGate extender profile

To configure an FQDN as a backhaul address in the GUI:
  1. Edit the LAN extension profile:
    1. Go to Network > FortiExtenders, select the Profiles tab, and edit the default LAN extension profile (FX211E-lanext-default).
    2. In the LAN extension section, set the IPsec interface IP/FQDN to fgt3200d.qatest.com.

    3. Click OK.
  2. Authorize the FortiExtender:
    1. Go to Network > FortiExtenders, select the Managed FortiExtenders tab, and edit the discovered FortiExtender.
    2. In the Status section, enable Authorized.
    3. Click OK.

      In FortiExtender, the VPN Tunnels page displays the IPsec tunnel le-uplink-wan as up. The Remote Gateway is set to fgt3200d.qatest.com.

To configure an FQDN as a backhaul address in the CLI:
  1. Configure the backhaul IP address:
    config extension-controller extender-profile
        edit "FX211E-lanext-default"
            set id 1
            set model FX211E
            set extension lan-extension
            config cellular
                config sms-notification
                end
                config modem1
                end
            end
            config lan-extension
                set ipsec-tunnel "fext-ipsec-bwyt"
                set backhaul-interface "port1"
                set backhaul-ip "fgt3200d.qatest.com"
                config backhaul
                    edit "1"
                        set port wan
                        set role primary
                    next
                    edit "2"
                        set port lte1
                        set role secondary
                    next
                end
            end
        next
    end
  2. Verify the configuration in FortiExtender:
    config vpn ipsec phase1-interface
        edit le-uplink-wan
            set ike-version 2
            set keylife 86400
            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
            set dhgrp 14 5
            set interface wan
            set type ddns
            set remotegw-ddns fgt3200d.qatest.com
            set authmethod psk
            set psksecret ************
            set localid peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX
            set peerid localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t
            set add-gw-route enable
            set dev-id-notification disable
        next
    end

Configuring the IKE port on the FortiExtender when NAT traversal is enabled in the FortiGate IPsec tunnel settings

To configure the IKE port on FortiExtender when NAT traversal is enabled:
  1. Set the IKE port on the FortiGate:
    config system settings
        set ike-port 6000
    end
  2. Set the IKE port on the FortiExtender:
    config system settings
        set ike-port 6000
    end
  3. Start a packet capture on the FG-200E's port11 with the filter set to UDP protocol and port 4500 or 6000.
  4. Terminate the IPsec VPN tunnel in FortiExtender:
    ~ # swanctl -t -i le-uplink-wan
    [IKE] deleting IKE_SA le-uplink-wan[5] between 10.10.10.2[peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX]...10.10.10.3[localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t]
    [IKE] sending DELETE for IKE_SA le-uplink-wan[5]
    [ENC] generating INFORMATIONAL request 2 [ D ]
    [NET] sending packet: from 10.10.10.2[4500] to 10.10.10.3[6000] (80 bytes)
    [NET] received packet: from 10.10.10.3[6000] to 10.10.10.2[4500] (80 bytes)
    [ENC] parsed INFORMATIONAL response 2 [ ]
    [IKE] IKE_SA deleted
    terminate completed successfully
  5. Verify the packet capture on the FG-200E. During the tunnel setup, the first packet from the FortiExtender has the source port set to 6000, but it changes to 4500. This is because FortiExtender only supports Port 4500 when NAT traversal is enabled:
    # diagnose sniffer packet port11 'udp and port 4500 or port 6000' 4
    interfaces=[port11]
    filters=[udp and port 4500 or port 6000]
    ...
    24.064847 port11 -- 10.10.10.2.6000 -> 10.10.10.3.6000: udp 936
    24.065929 port11 -- 10.10.10.3.6000 -> 10.10.10.2.6000: udp 428
    
    24.119178 port11 -- 10.10.10.2.4500 -> 10.10.10.3.6000: udp 612
    24.120272 port11 -- 10.10.10.3.6000 -> 10.10.10.2.4500: udp 276
  6. Verify the IPsec tunnel status on the FortiExtender to confirm that Port 4500 is used:
    ~ # swanctl -l
    le-uplink-wan: #3, ESTABLISHED, IKEv2, 1fbb2997d6a5afc7_i* 5d500758882339f4_r
      local  'peerid-SIbiT5AnbTo2tk0pZttfxzh1CFihu9tP7EBsKniCpRTeXnb4mUi6MmXX' @ 10.10.10.2[4500]
      remote 'localid-33rR5UQbwq705X95TyKfQOh7GtDbMfAjX4jz6Vsm0Au8gibcCsZkO9t' @ 10.10.10.3[6000]
      AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      established 90s ago, rekeying in 85289s
      le-uplink-wan: #3, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
        installed 90s ago, rekeying in 38952s, expires in 47430s
        in  c3406a5a (0x00000005),   1512 bytes,    18 packets,     2s ago
        out 7d17257c (0x00000005),   8000 bytes,    52 packets,     2s ago
        local  10.252.8.2/32
        remote 10.252.8.1/32
Note

NAT traversal has the default value enabled in the FortiGate IPsec tunnel settings, and it is not recommended to change any IPsec tunnel configurations even if there is a NAT server between the FortiExtender and the FortiGate access controller. The IPsec tunnel always uses Port 4500 for NAT traversal.

Configuring the IKE port on FortiExtender when NAT traversal is disabled in the FortiGate IPsec tunnel settings

NAT traversal is enabled by default in the FortiGate IPsec tunnel setting and it cannot be changed in the GUI. If NAT traversal is disabled, the IPsec tunnel can use a custom IKE port (port 6300 in this example).

To configure the IKE port on FortiExtender when NAT traversal is disabled:
  1. Set the IKE port on the FortiGate:
    config system settings
        set ike-port 6300
    end
  2. Set the IKE port on the FortiExtender:
    config system settings
        set ike-port 6300
    end
  3. Verify the IPsec tunnel status on the FortiExtender to confirm that port 6300 is used:
    ~ # swanctl -l
    le-uplink-wan: #2, ESTABLISHED, IKEv2, 14a9fe5800b9d0b9_i* 9dd465f634ed9abd_r
      local  'peerid-aRuaScJBVVJ1DWKrrKcY8VcHF8Vg6cgLQkpEtdzDRpRTVvapxdeeJoiO' @ 10.10.10.2[6300]
      remote 'localid-dCcVF2kc5PWVuKbNvWEoBlm332ik5dz1jtRqxfaxxiH4G7y5wLDAPcN' @ 10.10.10.1[6300]
      AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      established 3606s ago, rekeying in 82066s
      le-uplink-wan: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
        installed 3606s ago, rekeying in 37205s, expires in 43914s
        in  c3ae8beb (0x00000003),  60564 bytes,   721 packets,     1s ago
        out d0d92a63 (0x00000003), 343410 bytes,  2365 packets,     1s ago
        local  10.252.8.2/32
        remote 10.252.8.1/32