IPSEC VPN - Palo Alto to Fortigate ( Forti behind a NAT )
Hello community, as always thank you for your collaboration.
I understand that it is feasible, I have not had to do it, but I understand that it is possible to do the following.
Scenario:
-Palo Alto Firewall Static Public IP directly connected to PA Interface.
-Firewall fortigate behind traditional Modem/Route/OTN almost domiciliary with Dynamica public IP but with private IP in
its WAN interface of the fortigate.
I.e.:
PaloAlto-Untrust-Interface-Static dedicated Public IP=======Internet=====VPN-Site-to-Site=============Dynamic-IP-traditional-Internet-Modem-ISP=====NAT===Private WAN IP Fortigate.
I can set up a Site to Site VPN tunnel between a Palo Alto FW with dedicated static public IP coming directly to the AP against a Fortigate firewall behind a traditional ISP modem/router/nat.
Is it feasible to realize this IPSEC tunnel, that is stable, operates correctly ?
What aspects, configurations, settings, etc. should I consider when making this configuration?
Thanks as always for the collaboration, good vibes and for all the advice and your time in answering.
Greetings and very attentive to your comments.
This is perfectly possible, with a few caveats
The Palo side should be set to "passive"
Both sides will have to have "NAT-T" enabled (NAT Traversal) or IKEv2 (NAT-T built in)
You will need to use local and peer identifiers, at least for the Forti side (due to it being behind NAT). Easiest way to do this is set the ID type to FQDN and then use something that prevents mistakes (like 'palo2forti' for the Palo side and 'forti2palo' for the forti side) it doesnt need to be a real fqdn
After you've done the above adjustments, you should have a fully functional ipsec tunnel