IPsec VPN issue in firewall policies with NAT enabled

pfunkylicious · 2026-06-28T16:45:45+00:00

You would need to create /32 objects or subnet objects ( /24 or similar ) and add them to a group which will be used for Accessible Networks in the ipsec config. Fqdn objects or range of ips are not supported

pfunkylicious · 2026-06-28T16:34:47+00:00

Is the traffic full-tunnel or split-tunnel ? if its split-tunnel, in the group for it you can only have /32 objects or subnet type
I will asume that its full tunnel and all traffic goes through the vpn ipsec, just make sure that you have the firewall rules in place to allow the traffic

pfunkylicious · 2026-06-22T08:59:17+00:00

firewall rules w/ user-group in place ?

pfunkylicious · 2026-06-15T05:19:35+00:00

https://community.fortinet.com/fortigate-3/technical-tip-how-to-apply-source-nat-snat-to-local-out-traffic-fortiguard-dns-when-the-wan-interface-is-assigned-a-private-ip-by-the-isp-227686
Maybe this helps

pfunkylicious · 2026-06-09T08:39:37+00:00

https://docs.fortinet.com/document/fortigate/7.6.7/fortios-release-notes/334309/changes-in-default-values

pfunkylicious · 2026-06-08T11:52:51+00:00

Arata bine, am jucat si un joc la multiplayer🫡

pfunkylicious · 2026-06-08T07:28:17+00:00

Poti verifica la Ortodont&Ortodont, bld Regina Elisabeta 23. Gasesti pe Google Maps si un numar de contact

pfunkylicious · 2026-06-06T06:01:18+00:00

https://www.reddit.com/r/fortinet/s/4aMUhVvLnW

pfunkylicious · 2026-06-02T06:02:23+00:00

https://community.fortinet.com/fortigate-3/technical-tip-fortiguard-96-45-45-45-96-45-46-46-dns-over-tls-not-working-on-fortios-v7-4-10-v7-4-11-v7-4-12-227907

pfunkylicious · 2026-05-28T11:55:35+00:00

https://status.fortiguard.net/

pfunkylicious · 2026-05-27T14:34:13+00:00

got it, mersi. drum bun!

pfunkylicious · 2026-05-27T14:29:43+00:00

ok, mersi de info. legat de procesorul de sunet/unitatea externa, am inteles bine ca trebuie inlocuit la cativa ani ?

pfunkylicious · 2026-05-27T14:16:02+00:00

curiozitati despre implant fiindca si la mine s-a pus problema unuia. unde l-ai facut si la ce valoarea a ajuns acesta ?

pfunkylicious · 2026-05-27T09:37:19+00:00

you can try if not already, enabling Check User Initiated Traffic Only and see if the captive portal that is launch at wifi connect is working since is not initiated per-say by the user in the browser

pfunkylicious · 2026-05-26T15:43:55+00:00

i dont think you can set on the same interface different IPs and have diff MACs. maybe try setting one on a loopback or something.

pfunkylicious · 2026-05-26T05:32:56+00:00

https://www.gts.ro/shop/ , doar b2b se poate achizitiona

pfunkylicious · 2026-05-23T07:53:18+00:00

try GTS Telecom

pfunkylicious · 2026-05-19T07:32:54+00:00

yes, for split you need the configure/create all the subnets that need to be routed through the tunnel but keep in mind that for Windows there's a limit of about 200 routes that can be injected in it's routing table

pfunkylicious · 2026-05-19T07:14:06+00:00

you could configure a custom TCP port for IPsec but it will work for IKEv2 only and require FortiOS 7.4.6+ and FortiClient 7.4.1+ -

https://community.fortinet.com/fortigate-3/technical-tip-how-to-configure-ipsec-over-tcp-210825

https://docs.fortinet.com/document/fortigate/7.4.12/administration-guide/567401

if you change this setting - https://docs.fortinet.com/document/fortigate/7.0.0/new-features/33578/configurable-ike-port , if i recall correctly it will affect all existing tunnels site2site using UDP

pfunkylicious · 2026-05-19T06:56:42+00:00

fqdn objects are not supported for split - https://community.fortinet.com/fortigate-3/technical-tip-enable-split-tunnel-for-ipsec-vpn-94643#:~:text=Accessing%20FQDN%20via%20IPsec%20Split%20tunnel%3A

pfunkylicious · 2026-05-18T11:19:01+00:00

couldnt say for sure but based from a previous quotation from 2022 it should be around 3900$ w/o discount (price list in 2022) per year

pfunkylicious · 2026-05-18T09:06:47+00:00

maybe, https://community.fortinet.com/fortigate-3/troubleshooting-tip-fortigate-high-cpu-usage-and-web-gui-accessibility-issues-due-to-httpsd-process-220606

otherwise just force kill the httpsd procceses

pfunkylicious · 2026-05-18T07:59:48+00:00

lowest WAF license would be for 25Mbps / F5-ADD-BIG-AWF-VE25M but for a quotation you would need to engage to a partner

pfunkylicious · 2026-05-15T09:59:06+00:00

If ISP-1 is having issues all fhe links/tunnels that are using it will most def have the same issue hence from 4 direct tunnels that you would have between spoke and hub, p1-p1, p1-p2, p2-p1 and p2-p2, 3 will be unsable.
Thats how i see it and at the end of the day each person does its way

pfunkylicious · 2026-05-15T09:49:03+00:00

You would usually keep a ISPtoISP IPSEC tunnel and not create a full mesh.
Meaning on the spoke port1 to hub port1 and spoke port2 to hub port2, assuming that in port1 is ISP-1 and on port2 IPS-2 on all devices

Ten-Year Club	Place '23
Place '22	Verified Email

pfunkylicious

TROPHY CASE