Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff
Staff

Created on ‎08-26-2024 12:33 PM

Article Id 336494

Technical Tip: IPsec when FortiGate is behind NAT

Description

 

This article describes the most common issues with IPsec tunnels found at TAC, with deployments where the FortiGate appliances are behind NAT devices, and do not have the Public IP directly configured under the WAN interface.

 

Scope

 

FortiOS.

 

Solution

 

This document has the purpose of explaining the most common issues with IPsec tunnels found at TAC, with deployments where the FortiGate appliances are behind NAT devices, and do not have the Public IP directly configured under the WAN interface.

 

There will be used the topology below with both units behind NAT to demonstrate the scenario:

 

 

ipsec-nat.png

 

Scenario: Only 1 of the sites has port-forwarding configured for UDP 500 and 4500.

 

Ideally, both Sites should have port-forwarding (also called DNAT – Destination NAT) configured on the ISP’s Customer Premises Equipment for ports UDP 500 and 4500. This will allow for both FortiGate appliances to send IPsec control and data plane traffic for the remote Gateway Public IP (which is set on the ISP modem/Router), and it will forward and DNAT this traffic for the Fortigate Appliance Wan private IP.

 

If for some reason it is not possible to perform port forwarding at one of the sites, the following will occur:

 

only1site-with-port-forwarding.gif

 

The animation demonstrates FortiGate at 'Site A' on the left, as the initiator of the IPsec tunnel demonstrated by the yellow arrows. Site B does not have Port Forwarding configured at the ISP Router, so this traffic never reaches the Fortigate at Site B. Traffic hits the ISP Router and will be dropped because it is unsolicited traffic.

For this scenario to work, traffic would have to be initiated by Site B.

 

This is what will happen:

 

Yellow arrows:

 

  • Site B initiates an IPsec connection to Site A.
  • This communication has as source IP 192.168.2.1:500 and destination 1.1.1.1:500.
  • Traffic hits Site B’s ISP device and gets Source NATed to source 2.2.2.2:500 destination 1.1.1.1:500.
  • Traffic arrives at Site A’s ISP CPE and gets DNATed to source 2.2.2.2:500 destination 192.168.1.1:500 since the CPE has port-forwarding configured.

 

Green Arrows:

 

  • Site A replies, and since Site B was the initiator and the ISP CPE at Site B has created a NAT session (point 3), it will allow the reply in, effectively reaching FortiGate A. The same events from 1-5 will repeat for Phase2 negotiation but using UDP port 4500.

 

only1site-with-port-forwarding-reverse.gif

To make sure Site B is the initiator for this tunnel, it is possible to perform some changes to this tunnel as at Site A, and make it a Dialup Tunnel or enable passive mode:

Technical Tip: How to make sure the FortiGate will act as a responder in site-to-site IPsec VPN

1898
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.