Technical Tip: No bytes are received when connected to IPSEC dialup VPN using FortiClient
| Description | This article describes a possible cause when there is no traffic is seen on the FortiGate even after the proper route is pushed on the client when connected to dialup VPN. |
| Scope | FortiGate, FortiClient. |
| Solution | When connecting to an IPSEC dialup VPN through FortiClient there are situations where there is no communication through the tunnel even after a successful connection and having a proper route seen on the endpoint.
During the troubleshooting process, this traffic is not even seen on the FortiGate.
The reason for this cause is, that NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be de multiplexed, below is the capture taken on the ISP level showing the cause of the issue.
To resolve this issue, make sure that NAT-T is enabled on the VPN configuration on the FortiClient as endpoints are mostly behind a NAT device.
Note: IF IKE Version:2 configured on the VPN setting, NAT Traversal will be not visible under settings.
To manually enable it from the FortiClient EMS or FortiClient VPN-(Free License) settings, see Troubleshooting Tip: IKEv2 IPSec VPN on FortiClient v7.4.1 and v7.4.2 has NAT-T disabled with default settings.
Results after NAT-T is enabled on the Client:
Traffic is also then observed on the FortiGate:
  Note: If the request is seen on the FortiGate, this should not be an issue with NAT-T. First, verify that the authentication group is included in only one of the firewall policy or the IPsec phase1 configuration.
If none of the above apply, perform troubleshooting on the firewall end to find any possible issues related to policy, routing, etc. If any are encountered, open a ticket with the TAC team. Provide the IKE debug and the debug flow of the intended traffic: Welcome to Fortinet Support.
Related article: |
