FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article discusses about the nattraversal options available under the phase1 settings of an IPsec tunnel.
Solution Network Address Translation (NAT) is a way to convert private IP addresses to publicly routable Internet addresses and vice versa. When an IP packet passes through a NAT unit, the source or destination address in the IP header is modified. FortiGate units support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and compatible versions.
NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be de multiplexed. To work around this, the FortiGate provides a way to protect IPsec packet headers from NAT modifications. When the Nat-traversal option is enabled, outbound encrypted packets are wrapped inside a UDP IP header that contains a port number. This extra encapsulation allows NAT units to change the port number without modifying the IPsec packet directly.
To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option must be enabled whenever a NAT unit exists between two FortiGate VPN peers or a FortiGate unit and a dial up client such as FortiClient. On the receiving end, the FortiGate unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.
# config vpn ipsec phase1-interface edit "tunnel-name" set interface "wan1" set ike-version 2 set peertype any set net-device enable set proposal aes256-sha1 set nattraversal enable default setting is “enable” set psksecret <secret> next end
NAT Traversal.
The following nattraversal options are available under phase1 settings of an IPsec tunnel.
(tunnel-name) # set nattraversal enable <----- Enable IPsec NAT traversal. disable <----- Disable IPsec NAT traversal. forced <----- Force IPsec NAT traversal on.
Select Enable if a NAT device exists between the local FortiGate unit and the remote VPN peer. The local FortiGate unit and the remote VPN peer must have the same NAT traversal setting (both enabled or disabled) to connect reliably.
It has been observed while establishing an IPsec tunnel between FortiGate and another vendor unit that either the tunnel does not get established or traffic does not flow through an IPsec tunnel. Since each vendor has their own IPsec tunnel implementation, IPsec can be forced to use NAT traversal in such cases. If NAT is set to forced, the FortiGate will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.
If nattraversal is set to forced, the following output will be shown.
