Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
svishal
Staff
Staff

Created on ‎01-12-2025 11:42 PM Edited on ‎02-26-2025 10:19 PM By Community Manager

Article Id 369599

Troubleshooting Tip: IKEv2 IPSec VPN on FortiClient v7.4.1 and v7.4.2 has NAT-T disabled with default settings

Description

 

This article describes how, when creating a new VPN connection with FortiClient v7.4.1 or v7.4.2 that uses IKEv2 as the protocol with the default VPN settings, NAT-T is disabled.

 

Scope

 

Users connecting from the same public IP or sitting behind a NAT device can experience symptoms such as no network access and one-way traffic (zero bytes received shown in FortiClient VPN status) after connecting to VPN when using IPSec VPN with IKEv2 as the protocol.

 

Solution

 

To enable NAT-Traversal on a connection profile, the following actions can be taken:

 

Unmanaged or unlicensed FortiClient: On the FortiClient GUI, edit the VPN connection and go ahead with one of the following two options:

 

Option 1: Change the 'Encapsulation' from default - 'IKE UDP Port' to 'Auto':

 

auto FortiClient ikev2.png

 

Option 2: Take a backup of the configuration and use a text editor to edit the configuration file, change the value for 'nat_traversal' from 0 to 1. Save the file and restore the configuration to FortiClient:

 

backup restore fct.png

 

EMS managed FortiClient:

  1. If the Remote Access (VPN) profile is created in previous versions of EMS and migrated to EMS v7.4.1+, it will have the old settings until the profile is changed, updated, and saved.
  2. Any new IKEv2 VPN profile created in EMS v7.4.1+ with Encapsulation set as 'IKE UDP Port' will always have NAT-T=0 
    <transport_mode>0</transport_mode> will automatically always set <nat_traversal>0</nat_traversal>
  3. The solution is to set encapsulation to Auto (XML tag <transport_mode>2</transport_mode>), which allows control of <nat_traversal>.

IKE_SET_TO_AUTO.png

 

FortiGate Configuration:

If FortiGate is always behind NAT for dial-up IPSec tunnels, it is recommended to force-enable NAT on FortiOS IKEv2 tunnel settings.

 

config vpn ipsec phase1-interface
    edit <dialup tunnel name>
        set nattraversal forced
    next
end

 

Note

For the issue described in this document, the above configuration change (nattraversal set to forced) will not be helpful.

 

macOS FortiClient:

A related issue may affect macOS FortiClient v7.4.2, which will be resolved in FortiClient v7.4.3+. The issue is related to using a UDP port less than 1024 when initiating an IKE request from FortiClient on macOS.

 

Related document:

FortiClient 7.4.1 new features 

2150
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.