Skip to main content
opt
opt
Visitor III
October 18, 2022
Solved

IPSEC tunnels behind CGNAT Starlink

  • October 18, 2022
  • 7 replies
  • 43910 views

Hi all. We have one very interesting case. We using Fortigate HA routers on HQ and Branch.

Branch is connected to HQ via 2 providers over IPSEC-SD-WAN tunnels.

But now we have often problems with these 2 providers availibility and decided to try Starlink.

We have connected Starlink router to Fortigate, switched Starlink router to bypas mode. 

Now Branch's Fortigate behind Starlink's CGNAT with IP 100.122.N.N 255.192.0.0 and we can't connect classic peer-to-peer IPSEC as before with those 2 providers with public ip on both sides.

 

So the question is how to make connection between HQ and branches?

We tried configure IPSEC with dilaup user on HQ side as listener and remote side connect to HQ public ip.

The tunnel become UP but there is no traffic between routers. I sugges that there is some configuration mistakes, but need more experience to debug it.

Best answer by opt

The link from Starlink should be connected directly to FGT port. When link connected thru switch's vlan strange things happening - ICMP work but other traffic not flow.

Found some information on Starlink's support page:

Can I use a network switch with Starlink?

Yes, you are welcome to connect your own equipment to Starlink. However, we cannot guarantee Starlink performance or compatibility with third party networking devices.

The case is closed because now router behind Starlink is connecting as dialup ipsec client to Fortigate with NAT-T.

7 replies

jintrah_FTNT
Staff
jintrah_FTNT
Staff
October 18, 2022

hi,

 

If tunnel is up, then negotiations are fine. But if traffic is not working, you should check for esp traffic between peers.

 

#diag sniff packe any 'host <remote peer IP> and esp' 6

 

best regards,

Jin

    opt
    optAuthor
    Visitor III
    October 18, 2022

    diagnose sniffer packet any "host 145.224.100.252 and esp" 6
    interfaces=[any]
    filters=[host 145.224.100.252 and esp]
    ^C
    0 packets received by filter
    0 packets dropped by kernel

    francelottores
    francelottores
    New Member
    October 18, 2022

    One of the main reasons Port Forwarding can be a problem on Starlink is that many ISPs use Carrier-Grade NAT (CGNAT) to conserve IP addresses. France lotto results

    syordanov
    Staff
    syordanov
    Staff
    October 18, 2022

    Dear @opt,

     

    Please follow the suggestion of my colleague, see if ESP packets are sent out your exit interface.

    If they are sent but nothing is received on other and maybe Starlink is doing filtering on the ESP packets. You can give a try with NAT-T to "forced".

     

    Best regards,

     

    Fortinet community

    opt
    optAuthor
    Visitor III
    October 18, 2022

    We have tried NAT-T on both side in forced mode, but nothing changed, ESP packets 0 received.

    syordanov
    Staff
    syordanov
    Staff
    October 18, 2022

    Hello Opt,

     

    Ok in that case you can try to see which is the public IP address assigned by Starlink or address used for SNAT to leave their network and go to internet.

    Run this command on your FG(spoke)

    # diagnose sys waninfo ipify port1 <--- replace port1 with interface configured for your VPN configuration

     

    When you get the IP address from command above, you can run a sniffer on your HUB for this IP address something like diagnose sniffer packet any "host x.x.x.x" 4 , where x.x.x.x is the IP address from diagnose sys waninfo ipify , because it seams phase-2 is down and maybe phase-1 is down as well . This will give you more information what is send out / received for the phase-1 / phase-2 traffic.

     

    Best regards,

     

    Fortinet

    opt
    optAuthorAnswer
    Visitor III
    October 24, 2022

    The link from Starlink should be connected directly to FGT port. When link connected thru switch's vlan strange things happening - ICMP work but other traffic not flow.

    Found some information on Starlink's support page:

    Can I use a network switch with Starlink?

    Yes, you are welcome to connect your own equipment to Starlink. However, we cannot guarantee Starlink performance or compatibility with third party networking devices.

    The case is closed because now router behind Starlink is connecting as dialup ipsec client to Fortigate with NAT-T.

    scliff
    scliff
    New Member
    August 25, 2023

    Did you get this sorted out? I am trying to do this behind some LTE carriers and am not quite sure I follow the threads.

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 25, 2023

    Nothing should be special with either Starlink or 4G/LTE other than the public IP (or private IP) your device would pull is dynamic. With LTE you have an option to buy a static IP service from the carrier though, which Starlink doesn't offer.

    So you have to set up either agressive mode (IKEv1) or dynamic (IKEv2) IPsec.

     

    Toshi

    scliff
    scliff
    New Member
    August 25, 2023

    I tried a dymanic DNS tunnel but it tries to connect back to the IP which is behind CGNAT. I am going to try to figure out how to do a Dial up , this would be ideal for my workstation and our remote offices that are not using static IP <for whatever reason they cannot :)>

     

    Thanks

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 25, 2023

    What do you mean by "DNS tunnel"? You have an internal DNS server at the end of IPSec tunnel?

     

    Toshi

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 25, 2023

    I guess DDNS wouldn't work well over CGNAT. A regular aggressive mode should work fine. I think I tested IKEv2 dynamic when I tested with Starlink.

     

    Toshi 

    Terms & ConditionsAccessibility statement