This article describes how, when creating a new VPN connection with FortiClient v7.4.1 or v7.4.2 that uses IKEv2 as the protocol with the default VPN settings, NAT-T is disabled.
Users connecting from the same public IP or sitting behind a NAT device can experience symptoms such as no network access and one-way traffic (zero bytes received shown in FortiClient VPN status) after connecting to VPN when using IPSec VPN with IKEv2 as the protocol.
The issue is resolved in FortiClient Windows v7.4.3 and FortiClient EMS v7.4.3- in these versions, NAT Traversal is configurable in GUI.
To enable NAT-Traversal using FortiClient version v7.4.1 or v7.4.2, the following actions can be taken:
Unmanaged or unlicensed FortiClient: On the FortiClient GUI, edit the VPN connection and go ahead with one of the following two options:
Option 1: Change the 'Encapsulation' from default - 'IKE UDP Port' to 'Auto':
Option 2: Take a backup of the configuration and use a text editor to edit the configuration file, change the value for 'nat_traversal' from 0 to 1. Save the file and restore the configuration to FortiClient:
Note: The 'nat_traversal' configuration is per profile, i.e. when using multiple profiles, make sure to edit this configuration on each of them individually.
EMS managed FortiClient:
FortiGate Configuration:
If FortiGate is always behind NAT for dial-up IPSec tunnels, it is recommended to force-enable NAT on FortiOS IKEv2 tunnel settings.
config vpn ipsec phase1-interface
edit <dialup tunnel name>
set nattraversal forced
next
end
However, the FortiOS configuration above will not work around the issue since enabling NAT traversal is also required on the FortiClient side.
macOS FortiClient:
NAT Traversal is always forced enabled for macOS FortiClient, so these devices are not affected by the NAT Traversal disabled issue.
Related document:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.