Opening VPN access

  • Hi,

    We have configured vpn on our Fortigate 200 and local connections tested out successfully.
    The Fortigate is behind a pfSense and I've already configured forwarding for ports 500, 4500 and ESP (IP50).
    However we still can't connect remotely.  According to Fortigate support this is because it is configured with Hybrid outbound nat : this should be set to manuel outbound nat and any automatic rules for port 500 should be deleted.

    I have a hard time believing that this cannot work in Hybrid mode.  Could this really be the case ?

    There is an another vpn server behind the pfsense and I can connect to that just fine.  Also I'm worried that changing to manual outbound nat might break vpn access to this other vpn server, since it is still used intensively.

    Thanks for your suggestions
    [Screenshot pfSense.jpg](/public/imported_attachments/1/Screenshot pfSense.jpg)

  • Netgate

    Woefully lacking detail and your uploaded screenshot is 0 bytes.

  • pfSense is v2.3.2 running on a FreeBSD 10.3 release p5, and this has been setup in a vm running on VMware vsphare 5.5.  The network setup is pretty basic : one interface connecting to the internet and one for the lan.  Let me know if you require any other details.

    Basically we need to allow vpn connections through our pfSense to our new Fortigate 200 (  At the moment we have an old vpn server (172.30.136) and that works just fine through the pfSense.  This old vpn server is going to be replace with the Fortigate 200.

    I would like to setup pfSense so we can establish a vpn connection to the Fortigate 200 without breaking the current vpn access.  According to Fortigate support, I need to change from Hybrid to Manual configuration and remove the automatically generated rules.  Is that correct and if so how will this impact my currenct vpn connections ?

    Note : I've upload the image file again.

  • Netgate

    If you need connections from the internet to your inside VPN server, you should be looking at port forwards or 1:1 NAT, not outbound NAT.

  • That's what I already assumed.  Thanks for confirming.  I've setup the following port forwards (see attached screenshot) to allow vpn traffic.  I notice in the Fortigate logs that a vpn connection is being setup, but then it breaks off so the connection is not established.

  • Netgate

    Looks like that should be all that's necessary there. Are there firewall rules on WAN passing the same traffic to Is the traffic arriving at your Fortigate?

  • We have indeed firewall rule on WAN passing the same traffic to  (see screenshot - I'll attach a second screenshot in my next reply).

    ![2016-10-25 11_11_19-Settings.jpg](/public/imported_attachments/1/2016-10-25 11_11_19-Settings.jpg)
    ![2016-10-25 11_11_19-Settings.jpg_thumb](/public/imported_attachments/1/2016-10-25 11_11_19-Settings.jpg_thumb)

  • And the remaining rules in this second screenshot.  We also see traffic arriving at the Fortigate 200, (I believe this is the initial handshake of the communication) and then the connection gets drop before it is completely established.

    ![2016-10-25 11_12_01-Settings.jpg](/public/imported_attachments/1/2016-10-25 11_12_01-Settings.jpg)
    ![2016-10-25 11_12_01-Settings.jpg_thumb](/public/imported_attachments/1/2016-10-25 11_12_01-Settings.jpg_thumb)

  • Netgate

    NAT Traversal should be all you need. I don't think you can port-forward ESP itself.

    Is the traffic arriving on the fortigate?

  • Yes.  Traffic is arriving at the fortigate.  In the logs we see the initial communication being setup, but then the connection attempt gets dropped, and I'm assuming that's because there is still something that is blocked.

    When I try to establish a vpn connection to the fortigate 200 directly via the local network, it works.  So I'm sure the fortigate is working.

  • Netgate

    Therefore it has to be pfSense at fault.

  • I agree.  But how can I troubleshoot what's wrong ?

  • Netgate Administrator

    Most likely problem: The Fortigate is sending it's local IP address as it's identifier and the device at the other end is expecting the pfSense WAN IP.

    Check the expected identifier at the other end. Change the Fortigate to send the public IP if that's what is needed to match.

    Or you could just use pfSense to setup the tunnel directly.  ;)


  • According to Fortigate that is likely the cause of the problem.  Could you send me the instructions on how to change the configuration to send down the local identifier to the device ? Thanks.

  • Netgate Administrator

    That's something you would need to configure in the Fortigate. I can't help you with that.

    Is there a reason you're not just terminating the VPN in pfSense directly? I could help you with that.  ;)