Technical Tip: IPsec Site-to-Site Tunnel configuration Between Sonicwall and FortiGate (behind CGNAT Starlink) - Optimal Configuration Scenario

Umer221 · ‎05-01-2024

Description

This article provides a replica of a functional configuration for a site-to-site VPN that consistently encounters issues in both Phase 1 and Phase 2 negotiations when connecting between SonicWall and a FortiGate connected behind CGNAT Starlink.

Scope

FortiOS, FortiGate, Sonicwall, CGNAT Starlink.

Solution

First, make sure that all of the basic configurations are matching both sides using FortiGate-to-third-party.

If the basic configuration does not help bring the IPsec tunnel up using the above article, the following changes must be made on both sides of the tunnel:

Enable Forced NAT Traversal (NAT-T) on both sites under VPN -> IPsec Tunnels.

Switch to IKEv1 -> Aggressive Mode:

Test the tunnel and refer to this article Technical Tip: MTU override of IPsec VPN interface to enable MTU override and disable Anti-Reply if the tunnel still shows offline.

If the issue persists, contact TAC and share the log output from the following debug commands:

diagnose vpn ike log filter dst-addr4 <remote_peer_IP>
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Related article:

Technical Tip: Explaining IPsec Anti-replay and preventing packet drops.