New Member

Question

IPSec Site-to-Site VPN between two carrier grade natted Sites possible?

Forum|Forum|3 years ago
August 19, 2022
3 replies
9543 views

Hi Community,

I have two sites which are both natted and I would need to establish a IPSec Site-to-Site VPN connection. Both Sites are equipped with FGT60s. Currently I'm not able to establish the connection, I would guess that the CGN is the reason for this - as a tunnel to a non-natted Site is working without any problem from both sites.

Has someone a clue for me how to achieve the connection or is this even possible? Not sure as NAT is still a thematic for me which causes my head to hurt.

Thanks a lot!

FortiGate

aionescu

Staff

Hi @KVN001 ,

Welcome to the community.

It is possible to establish an site-to-site VPN between two NAT-ed FortiGates.

You should enable NAT-traversal on both peers. Please find more information at: Technical Tip: IPSec VPN nattraversal - Fortinet Community

KVN001Author

New Member

Hi aionescu,

thanks for quick reply! I already have set NAT-traversal to "Forced" (also tried with just "Enabled") but both settings arent working.

I can also not ping any of both sites from outside (but IP gets resolved) I guess this is also caused due to the natting of the provider(s)?

aionescu

Staff

Hi, can you provide the relevant configuration?

Also, the ike debug would provide some more information:

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 x.x.x.x where x.x.x.x is the IP address of the remote peer.
diagnose debug application ike -1
diagnose debug enable

pminarik

Staff

When you say CG-NAT, I assume that means you don't have the ability to set up VIPs/port-forwarding on either side (and therefore are unable to send arbitrary traffic from one side to the other). Is that correct?

If yes, then you would need to rely on some sort of UDP hole-punching to "push through", and as far as I am aware (I may be wrong!), UDP hole punching has so far only been implemented for dynamic spoke-to-spoke tunnel creation in ADVPN scenarios. (i.e. you will most likely need a central hub to help facilitate this connection)

In other words, I suspect for a simple site-to-site setup, what you want to do is not currently possible with FortiGates.

KVN001Author

New Member

Hi pminarik

I can set VIPs and Port forwarding on the FGTs but it seems not to work. I tried forwarding a few ports to one of my servers behind the FGT and had there than a port listener running. I was not able to connect via Telnet or SSH to the open port :\

Interesting approach, I will read up on the topic and see if I can implement something like this!

Thanks!

pminarik

Staff

To clarify: The VIP/port-forwarding would have to be configured on the device that currently holds your public IP. If that's not the FortiGate (it should not be the FortiGate in a CGNAT situation), then configuring VIP will not have any effect.

A

Anonymous_User

Contributor

Hi @KVN001 ,

You can use Hub-and-spoke deployment.
However, 1 of the side must have public IP or accessible from outside.

Example:
HQ - Public IP. Can be access from outside.

Branch - Local IP(natted by ISP/router).

In this case, Branch will connect to the HQ public IP.
This concept same as SSLVPN. Branch will initiate the traffic. HQ will respond.

But if both side is local IP and not reachable to each other, it will not work.
Its not possible for any side to respond your traffic if its not reaching your device.

KVN001Author

New Member

Hi!

thats not working in my case as both sites are behind NAT..

I will get in touch with my provider to check what additional costs will be made for an static ip address without natting.

Thanks to all for your feedback!!
BR

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded