Description | This article describes a possible cause when there is no traffic is seen on the FortiGate even after the proper route is pushed on the client when connected to dialup VPN. |
Scope | FortiGate, FortiClient. |
Solution |
When connecting to an IPSEC dialup VPN through FortiClient there are situations where there is no communication through the tunnel even after a successful connection and having a proper route seen on the endpoint.
During the troubleshooting process, this traffic is not even seen on the FortiGate.
The reason for this cause is, that NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be de multiplexed, below is the capture taken on the ISP level showing the cause of the issue.
To resolve this issue, make sure that NAT-T is enabled on the VPN configuration on the FortiClient as endpoints are mostly behind a NAT device.
Results after NAT-T is enabled on the Client:
Traffic is also then observed on the FortiGate:
Note: If the request is seen on the FortiGate, this should not be an issue with NAT -T, and proper troubleshooting should be done on the firewall end to see any issues related to policy, routing, etc.
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.