Skip to main content
fran19422
fran19422
New Member
April 6, 2024
Question

NAT traversal fixed broken BGP ?

  • April 6, 2024
  • 2 replies
  • 1745 views

Hello, we had an IPSEC tunnel between two Fortigates across Starlink connection active and up. 

BGP was running across this tunnel. All good, no problems.

Then suddenly three sites (Fortigates) lost their BGP connections only i.e. the IPSEC tunnels remained up.

The fix to get BGP working again was to enable 'nat traversal forced' on all participating Foritgates.

 

My questions are:

i) I understand how NAT traversal can fix IPSEC problems but in this case IPSEC was still up, therefore, how did enabling forced nat traversal fix BGP which was encapsulated (and protected) within the working IPSEC tunnels ?

ii) what might have suddenly changed with the Starlink service to cause problems with the IPSEC tunnel and/or BGP ?

 

Thank you.

2 replies

lgupta
Staff
lgupta
Staff
April 7, 2024

Hello @fran19422,

This is because of the CG-NAT used by Starlink.

You can refer below forum for more details.

https://community.fortinet.com/t5/Support-Forum/IPSEC-tunnels-behind-CGNAT-Starlink/td-p/226976

Thank you!

Dhruvin_patel
Staff
Dhruvin_patel
Staff
April 7, 2024

Greetings,

 

In this case, maybe it's not just the BGP. The traffic does not flow when the tunnel doesn't have NAT-T enabled. 

 

Starlink uses Carrier-Grade NAT (CGNAT) to conserve IP addresses. This means that Starlink assigns a single public IP address to multiple customers, rather than giving each customer a unique public IP. This creates issues for traditional IPsec VPN connections, which rely on being able to route traffic directly between the two endpoints.

 

To overcome the CGNAT issue, the search results recommend using NAT-T (NAT Traversal) for IPsec VPNs. NAT-T encapsulates the IPsec ESP traffic inside UDP packets, which can then traverse the CGNAT gateway successfully. Without NAT-T, the IPsec VPN tunnels will not be able to be established properly.

 

https://www.reddit.com/r/Starlink/comments/osq7hh/starlink_ipsec_tunnel_issues/?rdt=60543

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

 

Terms & ConditionsAccessibility statement