Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff

Created on ‎03-21-2025 04:41 AM

Article Id 383623

Technical Tip: IPSec VPN is established without NAT-Traversal when there are multiple tunnels with the same proposal

Description This article describes the scenario where the IPSec VPN is established without NAT-Traversal when there are multiple tunnels with the same proposal
Scope FortiGate.
Solution

Topology:

 

Screenshot 2025-03-21 180751.png

 

The HQ FortiGate has 2 tunnels for 2 branches with the same proposal, but the difference is branch 2 tunnel 'B_NAT-T' has NAT traversal. Peer ID is used to identify the branch.

 

config vpn ipsec phase1-interface
    edit "A_No-NAT-T"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype one
        set net-device disable
        set proposal aes128-sha256
        set add-route disable
        set dpd on-idle
        set nattraversal disable
        set peerid "Branch1"
        set psksecret <password>

    next

        edit "B_NAT-T"
            set type dynamic
            set interface "port1"
            set ike-version 2
            set peertype one
            set net-device disable
            set proposal aes128-sha256
            set add-route disable
            set dpd on-idle
            set nattraversal forced
            set peerid "Branch2"
            set psksecret <password>

       next
    end 

 

The tunnel 'B_NAT-T' is established without NAT-Traversal even if the setting is 'set nattraversal forced'. When running IKE debugging on the HQ FortiGate the debug output shows HQ is ignoring NAT_DETECTION from the branch2:

 

HQ # ike 0: comes 198.51.100.1:500->203.0.113.1:500,ifindex=6,vrf=0....
ike 0: IKEv2 exchange=SA_INIT id=05f00193fecee086/0000000000000000 len=448
ike 0: in xxxxxx
ike 0:05f00193fecee086/0000000000000000:29: responder received SA_INIT msg
ike 0:05f00193fecee086/0000000000000000:29: received notify type NAT_DETECTION_SOURCE_IP
ike 0:05f00193fecee086/0000000000000000:29: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:05f00193fecee086/0000000000000000:29: received notify type FRAGMENTATION_SUPPORTED
ike 0:05f00193fecee086/0000000000000000:29: incoming proposal:
ike 0:05f00193fecee086/0000000000000000:29: proposal id = 1:
ike 0:05f00193fecee086/0000000000000000:29: protocol = IKEv2:
ike 0:05f00193fecee086/0000000000000000:29: encapsulation = IKEv2/none
ike 0:05f00193fecee086/0000000000000000:29: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:05f00193fecee086/0000000000000000:29: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:05f00193fecee086/0000000000000000:29: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:05f00193fecee086/0000000000000000:29: type=DH_GROUP, val=MODP2048.
ike 0:05f00193fecee086/0000000000000000:29: type=DH_GROUP, val=MODP1536.
ike 0:05f00193fecee086/0000000000000000:29: matched proposal id 1
ike 0:05f00193fecee086/0000000000000000:29: proposal id = 1:
ike 0:05f00193fecee086/0000000000000000:29: protocol = IKEv2:
ike 0:05f00193fecee086/0000000000000000:29: encapsulation = IKEv2/none
ike 0:05f00193fecee086/0000000000000000:29: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:05f00193fecee086/0000000000000000:29: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:05f00193fecee086/0000000000000000:29: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:05f00193fecee086/0000000000000000:29: type=DH_GROUP, val=MODP2048.
ike 0:05f00193fecee086/0000000000000000:29: lifetime=86400
ike 0:05f00193fecee086/0000000000000000:29: SA proposal chosen, matched gateway A_No-NAT-T
ike 0:A_No-NAT-T: created connection: 0x10513840 6 203.0.113.1->198.51.100.1:500.
ike 0:A_No-NAT-T:29: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:A_No-NAT-T:29: ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
ike 0:A_No-NAT-T:29: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:A_No-NAT-T:29: ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
ike 0:A_No-NAT-T:29: processing notify type FRAGMENTATION_SUPPORTED
ike 0:A_No-NAT-T:29: responder preparing SA_INIT msg
ike 0:A_No-NAT-T:29: generate DH public value request queued
ike 0:A_No-NAT-T:29: responder preparing SA_INIT msg
ike 0:A_No-NAT-T:29: compute DH shared secret request queued
ike 0:A_No-NAT-T:29: responder preparing SA_INIT msg
ike 0:A_No-NAT-T:29: out xxxxxx
ike 0:A_No-NAT-T:29: sent IKE msg (SA_INIT_RESPONSE): 203.0.113.1:500->198.51.100.1:500, len=368, vrf=0, id=05f00193fecee086/032cc56e44c136cb
ike 0:A_No-NAT-T:29: IKE SA 05f00193fecee086/032cc56e44c136cb SK_ei 16:1962BD6F29767370EFD2DFF6BA0824CC
ike 0:A_No-NAT-T:29: IKE SA 05f00193fecee086/032cc56e44c136cb SK_er 16:15B0A005C9D18F138566E92DD376C1C8
ike 0:A_No-NAT-T:29: IKE SA 05f00193fecee086/032cc56e44c136cb SK_ai 32:E6A8EF8B070C3F77B2B352F2284565DF72C626542C3CFD4621B132D67A48DBB2
ike 0:A_No-NAT-T:29: IKE SA 05f00193fecee086/032cc56e44c136cb SK_ar 32:ED4B5BB6071FB5E118BCF92CBD6BFEA6905A2B8CED55AE583F52EB7059F00F18
ike 0: comes 198.51.100.1:500->203.0.113.1:500,ifindex=6,vrf=0....
ike 0: IKEv2 exchange=AUTH id=05f00193fecee086/032cc56e44c136cb:00000001 len=240
ike 0: in xxxxxx
ike 0:A_No-NAT-T:29: dec 05F00193FECEE086032CC56E44C136CB2E20230800000001000000C3230000042900000F020000004272616E6368322700000800004000290000280200000
0F419D61BAB9F9C2B023FEC64A2E2E6188A1C14EC5F1407D474746B9EA9A2FD8621000008000040242C00002C000000280103040371A6E2E20300000C0100000C800E00800300000803000
00200000008050000002D00001801000000070000100000FFFF0A20BF000A20BFFF0000001801000000070000100000FFFFC0A86300C0A863FF
ike 0:A_No-NAT-T:29: responder received AUTH msg
ike 0:A_No-NAT-T:29: processing notify type INITIAL_CONTACT
ike 0:A_No-NAT-T:29: processing notify type MESSAGE_ID_SYNC_SUPPORTED
ike 0:A_No-NAT-T:29: received peer identifier FQDN 'Branch2'
ike 0:A_No-NAT-T:29: re-validate gw ID
ike 0:A_No-NAT-T: change phase1 profile to B_NAT-T

ike 0:B_NAT-T:29: gw validation OK
ike 0:B_NAT-T:29: auth verify done
ike 0:B_NAT-T:29: responder AUTH continuation
ike 0:B_NAT-T:29: authentication succeeded
ike 0:B_NAT-T:29: responder creating new child

....

....

ike 0:B_NAT-T_0:29:B_NAT-T:9: sending SNMP tunnel UP trap
ike 0:B_NAT-T_0: tunnel up event
ike 0:B_NAT-T_0:29: enc xxxxx
ike 0:B_NAT-T_0:29: out xxxxx
ike 0:B_NAT-T_0:29: sent IKE msg (AUTH_RESPONSE): 203.0.113.1:500->198.51.100.1:500, len=224, vrf=0, id=05f00193fecee086/032cc56e44c136cb:00000001
ike 0:B_NAT-T_0: link is idle 6 203.0.113.1->198.51.100.1:0 dpd=1 seqno=1 rr=0

 

The reason is when the FortiGate receives an SA_INIT message, there is no peer ID available for FortiGate to immediately identify the correct tunnel (B_NAT-T). If FortiGate selects a tunnel where NAT traversal is disabled (A_No-NAT-T), the NAT_DETECTION will be ignored, and the SA_INIT packet from the responder will not include NAT-T.

 

To avoid this problem, NAT-T tunnel and No NAT-T tunnel should be configured with a different proposal value (IKE version, DH group, or encryption and authentication algorithm).

 

In this example, the proposal encryption and authentication algorithm is changed to aes256-sha256:

 

edit "B_NAT-T"
    set type dynamic
    set interface "port1"
    set ike-version 2
    set peertype one
    set net-device disable
    set proposal aes256-sha256
    set add-route disable
    set dpd on-idle
    set nattraversal forced
    set peerid "Branch2"
    set psksecret <password>

next
end 

 

The HQ will process NAT DETECTION and UDP port 4500 will be established:

 

ike 0: comes 198.51.100.1:500->203.0.113.1:500,ifindex=6,vrf=0....
ike 0: IKEv2 exchange=SA_INIT id=32375bf5c7914912/0000000000000000 len=448
ike 0: in xxxxx
ike 0:32375bf5c7914912/0000000000000000:33: responder received SA_INIT msg
ike 0:32375bf5c7914912/0000000000000000:33: received notify type NAT_DETECTION_SOURCE_IP
ike 0:32375bf5c7914912/0000000000000000:33: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:32375bf5c7914912/0000000000000000:33: received notify type FRAGMENTATION_SUPPORTED
ike 0:32375bf5c7914912/0000000000000000:33: incoming proposal:
ike 0:32375bf5c7914912/0000000000000000:33: proposal id = 1:
ike 0:32375bf5c7914912/0000000000000000:33: protocol = IKEv2:
ike 0:32375bf5c7914912/0000000000000000:33: encapsulation = IKEv2/none
ike 0:32375bf5c7914912/0000000000000000:33: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:32375bf5c7914912/0000000000000000:33: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:32375bf5c7914912/0000000000000000:33: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:32375bf5c7914912/0000000000000000:33: type=DH_GROUP, val=MODP2048.
ike 0:32375bf5c7914912/0000000000000000:33: type=DH_GROUP, val=MODP1536.
ike 0: cache rebuild start
ike 0:A_No-NAT-T: cached as dynamic 'Branch1'
ike 0:B_NAT-T: cached as dynamic 'Branch2'
ike 0: cache rebuild done
ike 0:32375bf5c7914912/0000000000000000:33: matched proposal id 1
ike 0:32375bf5c7914912/0000000000000000:33: proposal id = 1:
ike 0:32375bf5c7914912/0000000000000000:33: protocol = IKEv2:
ike 0:32375bf5c7914912/0000000000000000:33: encapsulation = IKEv2/none
ike 0:32375bf5c7914912/0000000000000000:33: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:32375bf5c7914912/0000000000000000:33: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:32375bf5c7914912/0000000000000000:33: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:32375bf5c7914912/0000000000000000:33: type=DH_GROUP, val=MODP2048.
ike 0:32375bf5c7914912/0000000000000000:33: lifetime=86400
ike 0:32375bf5c7914912/0000000000000000:33: SA proposal chosen, matched gateway B_NAT-T
ike 0:B_NAT-T: created connection: 0x105137b0 6 203.0.113.1->198.51.100.1:500.
ike 0:B_NAT-T:33: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:B_NAT-T:33: processing NAT-D payload
ike 0:B_NAT-T:33: NAT detected: PEER
ike 0:B_NAT-T:33: process NAT-D
ike 0:B_NAT-T:33: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:B_NAT-T:33: processing NAT-D payload
ike 0:B_NAT-T:33: NAT detected: PEER
ike 0:B_NAT-T:33: process NAT-D
ike 0:B_NAT-T:33: processing notify type FRAGMENTATION_SUPPORTED

....

....

ike 0:B_NAT-T_0:33:B_NAT-T:12: sending SNMP tunnel UP trap
ike 0:B_NAT-T_0: tunnel up event
ike 0:B_NAT-T_0:33: enc xxxxx
ike 0:B_NAT-T_0:33: out xxxxx
ike 0:B_NAT-T_0:33: sent IKE msg (AUTH_RESPONSE): 203.0.113.1:4500->198.51.100.1:4500, len=224, vrf=0, id=32375bf5c7914912/d3276ffc4aa7933c:00000001
195
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.