Re: Ikev2 tunnel-Need help with Configuration-

ipo.peniel_rg · ‎06-02-2025

Hi Folks,

I need Urgent help. I am trying to configure ikev2 tunnel between two CISCO Routers. However, the problem is that my router is behind a firewall and not able to properly route traffic to the other router. However, when i connect straight to the ISP end the ikev2 tunnel works. I am not sure where i am wrong.

Kasun Bandara · ‎06-02-2025

@ipo.peniel_rg hi, most common issues are as below. check if any of them affected in your scenario.

1. NAT - make sure you have proper NAT rules in firewall for port 500, 4500 for ipsec traffic.

2. routing - make sure your router behind the firewall can reach the remote peer though firewall.

3. firewall policies - make sure you have correct firewall rules to allow IPSec traffic between two routers.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Rob Ingram · ‎06-02-2025

@ipo.peniel_rg there could be a numbe of reasons, without seeing your configuration we can only guess.

- Check the firewall ACL to confirm the traffic is allowed.

- If NAT is configured confirm it is working correctly.

- If NAT is configured check the IKE identity is correct.

Provide configuration and IKEv2 debugs from the routers.

ipo.peniel_rg · ‎06-02-2025

hi all, due to strict policies, I am not able to reveal my configs, however, below is the scenario:

1. I have a cisco isr c1121 router. I have configured ikev2 tunnel on it. However, the router's WAN interface is getting IP address from a local area network, which is connected to a fortigate firewall.
2. The keying,proposal,profile, crypto map, access list configured on the router is working fine as i can get the tunnel to work when i connect the router straight to the ISP.
3. My problem, however, when i connect to the LAN with the Firewall. I dont know where to configure to allow the VPN traffic to pass through.

Kasun Bandara · ‎06-02-2025

@ipo.peniel_rg understand you cannot reveal some key points which are very important to troubleshoot. i guess you need to configure the NAT rules and firewall policies in this case.

additionally you can check below guide

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html

this have same scenario. but using Cisco router as NAT device. not firewall. concept is same.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Rob Ingram · ‎06-02-2025

@ipo.peniel_rg configure a static IP address on the router instead of DHCP, configure a static NAT on the firewall translating the public IP address to the private static IP address of the router. Configure the firewall rules (from outside to inside) to permit udp/500, udp/4500 to the router's IP address. Ensure NAT-Traversal is configured on the Fortigate. As you'll be using NAT, check the IKEv2 identity sent to the other peer.

ipo.peniel_rg · ‎06-02-2025

Do you have a documentation you can assist me with? I just need to know what exactly to do where.

Rob Ingram · ‎06-02-2025

@ipo.peniel_rg the NAT/Firewall configuration need to be performed on the Fortigate firewall, you'd probably be better asking in the Fortinet forums rather than the Cisco community.

Aref Alsouqi · ‎06-03-2025

As already mentioned by the others, the Fortigate device must have NAT and security rules configured. As @Rob Ingram mentioned, if you configure the Cisco router with a static IP then you can create a NAT rule on the Fortigate to translate any traffic that will hit the Fortigate outside interface on ports 500/udp and 4500/udp to the Cisco router private IP. If you have spare public IP you could also create a one-to-one NAT mapping traslating the traffic hitting that dedicated public IP to the Cisco router private IP.

Also, the Fortigate firewall must allow the traffic on those ports towards the router private IP. Another thing needs to be checked I think is the outbound NAT rule on the Fortigate. When the Cisco router tries to establish the VPN tunnel with the remote end, its traffic would be translated by the Fortigate firewall to a public IP. That IP could be the Foritgate outside interface IP, or another configured on the Fortigate. Either one, that public IP will be the remote peer configured on the remote VPN headend. I don't agree with @Rob Ingram on that the NAT-T has to be configured on the Fortigate as the Fortigate will only be a transit device from the VPN perspective, but I might be missing something here.

ipo.peniel_rg · ‎06-03-2025

Thank you Sir. Can you share with me configs i can enter into the router? I am new on this stuff. thanks. I got as far as bringing the tunnel up when connected straight to the ISP. However, as we are using only one public ip, i would really like to use the LAN's ip address. I have now configured the WAN interface on the router with a static ip address from the LAN.

Aref Alsouqi · ‎06-03-2025

You're welcome. I think the only thing that you would need to change on the router's side is the local IP address in IKEv2 crypto profile. When you connect the router behind the Fortigate, that local IP should be changed to reflect the private IP you assigned to the router's interface that is connected to the Fortigate. NAT-T should be already enabled on the router by default, so, other than changing the local IP I don't believe there is anything else that needs to be changed on the router.

I'm sorry I can't help with the Fortigate config as I don't have experience with it. However, I found this guide for you, please take a look, hope it helps:

Static virtual IPs | FortiGate / FortiOS 7.6.0 | Fortinet Document Library