FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
svishal
Staff
Staff
Article Id 369599
Description

 

This article describes how, when creating a new VPN connection with FortiClient v7.4.1 or v7.4.2 that uses IKEv2 as the protocol with the default VPN settings, NAT-T is disabled.

 

Scope

 

Users connecting from the same public IP or sitting behind a NAT device can experience symptoms such as no network access and one-way traffic (zero bytes received shown in FortiClient VPN status) after connecting to VPN when using IPSec VPN with IKEv2 as the protocol.

 

Solution

 

To enable NAT-Traversal on a connection profile, the following actions can be taken:

 

Unmanaged or unlicensed FortiClient: On the FortiClient GUI, edit the VPN connection and go ahead with one of the following two options:

 

Option 1: Change the 'Encapsulation' from default - 'IKE UDP Port' to 'Auto':

 

auto FortiClient ikev2.png

 

Option 2: Take a backup of the configuration and use a text editor to edit the configuration file, change the value for 'nat_traversal' from 0 to 1. Save the file and restore the configuration to FortiClient:

 

backup restore fct.png

 

EMS managed FortiClient:

  1. If the Remote Access (VPN) profile is created in previous versions of EMS and migrated to EMS v7.4.1+, it will have the old settings until the profile is changed, updated, and saved.
  2. Any new IKEv2 VPN profile created in EMS v7.4.1+ with Encapsulation set as 'IKE UDP Port' will always have NAT-T=0 
    <transport_mode>0</transport_mode> will automatically always set <nat_traversal>0</nat_traversal>
  3. The solution is to set encapsulation to Auto (XML tag <transport_mode>2</transport_mode>), which allows control of <nat_traversal>.

IKE_SET_TO_AUTO.png

 

FortiGate Configuration:

If FortiGate is always behind NAT for dial-up IPSec tunnels, it is recommended to force-enable NAT on FortiOS IKEv2 tunnel settings.

 

config vpn ipsec phase1-interface
    edit <dialup tunnel name>
        set nattraversal forced
    next
end

 

Note

For the issue described in this document, the above configuration change (nattraversal set to forced) will not be helpful.

 

macOS FortiClient:

A related issue may affect macOS FortiClient v7.4.2, which will be resolved in FortiClient v7.4.3+. The issue is related to using a UDP port less than 1024 when initiating an IKE request from FortiClient on macOS.

 

Related document:

FortiClient 7.4.1 new features