Technical Tip: IPsec tunnel with FortiGate using Starlink ISP

Gab_FTNT · ‎04-24-2025

Description

The article describes a solution to achieve site-to-site communication between a FortiGate using Starlink as an ISP and another FortiGate.

Scope

FortiOS.

Solution

Starlink uses Carrier-Grade Network Address Translation (CGNAT) which is a type of NAT used by ISP.
To achieve Site-to-Site communication between firewalls, Dial-up VPN tunnel must be used as shown in the following diagram.

To overcome communication issues, NAT-T must be used to encapsulate ESP packets with UDP 4500.

Configure FortiGate as a dial-up client. See FortiGate as a dial-up client - FortiGate 7.2.0 administration guide.
Make sure NAT-T is enabled on both sides of the tunnel.

config vpn ipsec phase1-interface
edit "StarLink-VPN"
set nattraversal enable
next
end

Test communication from the FortiGate behind CGNAT to the other Side FortiGate.

Dial-up Client:
CLI1: exec ping <destination-IP>
CLI2: diagnose sniffer packet any " host <destination-IP> and icmp " 4 0 l

Dial-up Server:
CLI1: diagnose sniffer packet any " icmp " 4 0 l

For troubleshooting purposes, run the following debug on both FortiGate.

diagnose debug reset
diagnose debug application ike -1
diagnose debug enable

Technical Tip: IPsec tunnel with FortiGate using Starlink ISP

You are leaving our website