topic Re: IPSEC PUBLIC IP BEHAIND NAT in Cloud Firewall

IPSEC PUBLIC IP BEHAIND NAT

siddu099 — Fri, 24 Oct 2025 07:18:12 GMT

Hi Team,

We created the the ipsec with in our lab firewall checkpoint and FortiGate , my checkpoint topology having private ip

the nat happen on redhat openstack portal tunnel is up but i cat able to reach the destination side

is there any thing else need to check

Thanks

Siddu

Re: IPSEC PUBLIC IP BEHAIND NAT

the_rock — Fri, 24 Oct 2025 12:11:28 GMT

Hey Siddu,

What have you done so far as far as troubleshooting? Any packet captures, debugs, any logs you can share? Just telling us something is not accessible does not tell us anything, sorry 😞

Re: IPSEC PUBLIC IP BEHAIND NAT

the_rock — Fri, 24 Oct 2025 12:40:02 GMT

For starters, run this from expert mode:

fw ctl zdebug + drop | grep x.x.x.x

Just replace x.x.x.x with dst IP

ctrl c to stop and observe if any messages/logs

On FGT side:

di de di

di de app ike -1

di di en

observe debug messages

q to stop and di de di again

Re: IPSEC PUBLIC IP BEHAIND NAT

PhoneBoy — Fri, 24 Oct 2025 21:05:38 GMT

You need to configure Link Selection in the gateway/cluster object.
R82 offers the Enhanced Link Selection option, but this is how you can configure it in any version:

Re: IPSEC PUBLIC IP BEHAIND NAT

the_rock — Sat, 25 Oct 2025 14:53:53 GMT

Good point! I assumed that was set already, but definitely worth confirming.

Re: IPSEC PUBLIC IP BEHAIND NAT

Timothy_Hall — Sat, 25 Oct 2025 15:02:32 GMT

Scroll further right in the SmartView Monitor, is NAT-T active for that tunnel? If not make sure support for it is enabled on both sides. Also you'll need to implement Phoneboy's suggestion concerning Link Selection.

Re: IPSEC PUBLIC IP BEHAIND NAT

the_rock — Sat, 25 Oct 2025 16:13:44 GMT

I believe NAT-T is by default enabled on both CP and FGT.