FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197873


This article discusses about the nat traversal options available under the phase 1 settings of an IPsec tunnel.






Network Address Translation (NAT) is a way to convert private IP addresses to publicly routable Internet addresses and vice versa.
When an IP packet passes through a NAT unit, the source or destination address in the IP header is modified.
FortiGate units support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and compatible versions.

NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number.
As a result, the packets cannot be de multiplexed.
To work around this, the FortiGate provides a way to protect IPsec packet headers from NAT modifications.
When the Nat-traversal option is enabled, outbound encrypted packets are wrapped inside a UDP IP header that contains a port number.
This extra encapsulation allows NAT units to change the port number without modifying the IPsec packet directly.

To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option must be enabled whenever a NAT unit exists between two FortiGate VPN peers or a FortiGate unit and a dial up client such as FortiClient.
On the receiving end, the FortiGate unit or FortiClient removes the extra layer of encapsulation before decrypting the packet:


config vpn ipsec phase1-interface
    edit "tunnel-name"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device enable
        set proposal aes256-sha1
        set nattraversal enable  default setting is “enable”
        set psksecret <secret>


NAT Traversal.

The following nattraversal options are available under phase1 settings of an IPsec tunnel:


(tunnel-name) # set nattraversal
enable                           <----- Enable IPsec NAT traversal.
disable                          <----- Disable IPsec NAT traversal.
forced                           <----- Force IPsec NAT traversal on.




Select Enable if a NAT device exists between the local FortiGate and the remote VPN peer. The local FortiGate and the remote VPN peer must have the same NAT traversal setting (both enabled or disabled) to connect reliably.

It has been observed while establishing an IPsec tunnel between FortiGate and another vendor unit that either the tunnel does not get established or traffic does not flow through an IPsec tunnel.
Since each vendor has their own IPsec tunnel implementation, IPsec can be forced to use NAT traversal in such cases.
If NAT is set to force, the FortiGate will use a port value of zero when constructing the NAT discovery hash for the peer.
This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present.
This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

If nat traversal is set to forced, the following output will be shown.


get vpn ipsec tunnel details | grep nat
    nat traversal mode: silent


Related document: