Description
This article describes how, when creating a new VPN connection with FortiClient v7.4.1 or v7.4.2 that uses IKEv2 as the protocol with the default VPN settings, NAT-T is disabled.
Scope
Users connecting from the same public IP or sitting behind a NAT device can experience symptoms such as no network access and one-way traffic (zero bytes received shown in FortiClient VPN status) after connecting to VPN when using IPSec VPN with IKEv2 as the protocol.
Solution
To enable NAT-Traversal on a connection profile, the following actions can be taken:
Unmanaged or unlicensed FortiClient: On the FortiClient GUI, edit the VPN connection and go ahead with one of the following two options:
Option 1: Change the 'Encapsulation' from default - 'IKE UDP Port' to 'Auto':
Option 2: Take a backup of the configuration and use a text editor to edit the configuration file, change the value for 'nat_traversal' from 0 to 1. Save the file and restore the configuration to FortiClient:
EMS managed FortiClient:
- If the Remote Access (VPN) profile is created in previous versions of EMS and migrated to EMS v7.4.1+, it will have the old settings until the profile is changed, updated, and saved.
- Any new IKEv2 VPN profile created in EMS v7.4.1+ with Encapsulation set as 'IKE UDP Port' will always have NAT-T=0
<transport_mode>0</transport_mode> will automatically always set <nat_traversal>0</nat_traversal> - The solution is to set encapsulation to Auto (XML tag <transport_mode>2</transport_mode>), which allows control of <nat_traversal>.
FortiGate Configuration:
If FortiGate is always behind NAT for dial-up IPSec tunnels, it is recommended to force-enable NAT on FortiOS IKEv2 tunnel settings.
config vpn ipsec phase1-interface
edit <dialup tunnel name>
set nattraversal forced
next
end
Note:
For the issue described in this document, the above configuration change (nattraversal set to forced) will not be helpful.
macOS FortiClient:
A related issue may affect macOS FortiClient v7.4.2, which will be resolved in FortiClient v7.4.3+. The issue is related to using a UDP port less than 1024 when initiating an IKE request from FortiClient on macOS.
Related document: