Help with IPSec VPN Between Two Peplink B One Devices – One Behind FortiGate in Bridge Mode

Product Discussion
1

Hi Peplink Community :wave:,

I’m working on establishing an IPSec VPN between two Peplink B One devices and running into some trouble.

:desktop_computer: Scenario Overview:

  • Branch Location (Santo):
    • Device: Peplink B One
    • Goal: Initiate IPSec tunnel to HQ.
    • Internet is working fine.
  • Headquarters (Vila):
    • Device: Peplink B One 5G
    • Setup: Acting as a bridge to a FortiGate firewall.
    • The FortiGate is doing the main routing/NAT/firewall duties.

:wrench: Issue:

The IPSec VPN is not establishing between the two Peplinks. I’m assuming it has something to do with:

  • The HQ B One being in bridge mode, passing traffic to the FortiGate.
  • Possibly some issue with NAT traversal, policy, or forwarding.

:test_tube: What I’ve Tried:

  • Verified IPSec profiles match on both ends (PSK, phase settings, etc.).
  • Ensured public IPs are correctly configured.
  • Allowed IPSec ports (UDP 500, UDP 4500) on the FortiGate.
  • Tried initiating the tunnel from both ends.

:question: What I Need Help With:

  • Has anyone set up a similar IPSec VPN with a Peplink in bridge mode behind another firewall (like FortiGate)?
  • Should the VPN be terminated on the FortiGate instead?
  • Any special routing or NAT configs needed to make this work?

Appreciate any suggestions, configuration tips, or working examples!

Thanks in advance :pray:
— Albert

2

Hi!

Devices that have IP Passthrough enabled can’t act as IPsec endpoints, as all of the traffic will be forwarded to the downstream device (in this case - the FortiGate firewall). Thus I can see two options in this situation:

  • (Preferred) Instead of IPsec, set up a SpeedFusion VPN between the two B Ones. As SpeedFusion operates a little differently, the connection should still work even with IP Passthrough enabled. Also SpeedFusion has many advantages to IPsec.
  • Try to use the FortiGate firewall as the IPsec endpoint. Though a disclaimer - Peplink devices do not officially support IPsec connections to FortiGate devices. Thus I cannot guarantee that the IPsec tunnel will form and function correctly.