FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
svishal
Staff & Editor
Staff & Editor
Article Id 369599
Description

 

This article describes how, when creating a new VPN connection with FortiClient v7.4.1 or v7.4.2 that uses IKEv2 as the protocol with the default VPN settings, NAT-T is disabled.

 

Scope

 

Users connecting from the same public IP or sitting behind a NAT device can experience symptoms such as no network access and one-way traffic (zero bytes received shown in FortiClient VPN status) after connecting to VPN when using IPSec VPN with IKEv2 as the protocol.

 

Solution


The issue is resolved in FortiClient Windows v7.4.3 and FortiClient EMS v7.4.3- in these versions, NAT Traversal is configurable in GUI.


To enable NAT-Traversal using FortiClient version v7.4.1 or v7.4.2, the following actions can be taken:

 

Unmanaged or unlicensed FortiClient: On the FortiClient GUI, edit the VPN connection and go ahead with one of the following two options:

 

Option 1: Change the 'Encapsulation' from default - 'IKE UDP Port' to 'Auto':

 

auto FortiClient ikev2.png

 

Option 2: Take a backup of the configuration and use a text editor to edit the configuration file, change the value for 'nat_traversal' from 0 to 1. Save the file and restore the configuration to FortiClient:

Note: The 'nat_traversal' configuration is per profile, i.e. when using multiple profiles, make sure to edit this configuration on each of them individually.

 

backup restore fct.png

 

Nat_traversal.png

 

EMS managed FortiClient:

  1. If the Remote Access (VPN) profile is created in previous versions of EMS and migrated to EMS v7.4.1+, it will have the old settings until the profile is changed, updated, and saved.
  2. Any new IKEv2 VPN profile created in EMS v7.4.1+ with Encapsulation set as 'IKE UDP Port' will always have NAT-T=0 
    <transport_mode>0</transport_mode> will automatically always set <nat_traversal>0</nat_traversal>
  3. The solution is to set encapsulation to Auto (XML tag <transport_mode>2</transport_mode>), which allows control of <nat_traversal>.

IKE_SET_TO_AUTO.png



FortiGate Configuration:

If FortiGate is always behind NAT for dial-up IPSec tunnels, it is recommended to force-enable NAT on FortiOS IKEv2 tunnel settings. 

 

config vpn ipsec phase1-interface
    edit <dialup tunnel name>
        set nattraversal forced
    next
end

 

However, the FortiOS configuration above will not work around the issue since enabling NAT traversal is also required on the FortiClient side.

 

macOS FortiClient:

NAT Traversal is always forced enabled for macOS FortiClient, so these devices are not affected by the NAT Traversal disabled issue.

 

Related document:

FortiClient 7.4.1 new features