Skip to main content
nevan
Staff
nevan
Staff
August 11, 2025

Troubleshooting Tip: IPSec tunnel is down, 'NAT detected' and debug shows processing notify type NAT_DETECTION_DESTINATION_IP

  • August 11, 2025
  • 0 replies
  • 807 views
Description This article describes when the IPSec tunnel is down, and the IKE debug shows 'NAT detected' and 'processing notify type NAT_DETECTION_DESTINATION_IP'.
Scope FortiGate.
Solution

When the IPSec tunnel is down, even after the complete match of the configuration the IKE debugs can be run.

 

IKE debug:

 

diagnose debug reset

diagnose debug application ike -1

diagnose debug enable

 

The debug also shows that SA proposal is chosen and it matched the correct VPN.

 

ike 0:remote_office: cached as static-ddns.
ike 0: cache rebuild done
ike 0:4435c5e9950ad1a6/0000000000000000:8040: matched proposal id 1
ike 0:4435c5e9950ad1a6/0000000000000000:8040: proposal id = 1:
ike 0:4435c5e9950ad1a6/0000000000000000:8040: protocol = IKEv2:
ike 0:4435c5e9950ad1a6/0000000000000000:8040: encapsulation = IKEv2/none
ike 0:4435c5e9950ad1a6/0000000000000000:8040: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:4435c5e9950ad1a6/0000000000000000:8040: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:4435c5e9950ad1a6/0000000000000000:8040: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:4435c5e9950ad1a6/0000000000000000:8040: type=DH_GROUP, val=MODP2048.
ike 0:4435c5e9950ad1a6/0000000000000000:8040: lifetime=86400
ike 0:4435c5e9950ad1a6/0000000000000000:8040: SA proposal chosen, matched gateway remote_office

 

It also shared the message that 'processing notify type NAT_DETECTION_SOURCE_IPand a NAT is detected in the debug means the NAT traversal is causing issues .


ike 0:Jeddah office: created connection: 0x14782e50 5 192.168.150.81->141.184.132.97:1.
ike 0:Jeddah office:8040: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:Jeddah office:8040: processing NAT-D payload
ike 0:Jeddah office:8040: NAT detected: PEER
ike 0:Jeddah office:8040: process NAT-D
ike 0:Jeddah office:8040: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:Jeddah office:8040: processing NAT-D payload
ike 0:Jeddah office:8040: NAT detected: ME PEER
ike 0:Jeddah office:8040: process NAT-D
ike 0:Jeddah office:8040: processing notify type FRAGMENTATION_SUPPORTED

 

The issue occurred because NAT-T (NAT Traversal) is enabled, and both peers detected that they are behind NAT devices. 

NAT-T was triggered because both peers detected address translation during IKE negotiation. The recommended workaround is to disable the NAT-T or NAT traversal, and the tunnel will be up after that.

 

Screenshot 2025-07-23 104822.jpg

 

Even with working SNAT/DNAT, NAT-T can introduce complications due to encapsulation and intermediate device behavior. Disabling NAT-T avoids these issues if ESP traffic (protocol 50) is properly forwarded.

 

Related article:
Technical Tip: IPSec VPN NAT-traversal
      Terms & ConditionsAccessibility statement