FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff
Article Id 352403
Description This article describes a possible cause when there is no traffic is seen on the FortiGate even after the proper route is pushed on the client when connected to dialup VPN.
Scope FortiGate, FortiClient.
Solution

When connecting to an IPSEC dialup VPN through FortiClient there are situations where there is no communication through the tunnel even after a successful connection and having a proper route seen on the endpoint.

 

  • 10.40.50.1 ==  client IP when connected to VPN.
  • 10.30.30.1 ==  Destination IP which reside behind FortiGate.
  • 10.200.200.2 == IP of the client behind ISP.
  • 10.9.11.207 ==  Remote Gateway IP where dialup server is configured.

 

IP VPN CONNECTION.PNG

 

ping failed with IP.PNG

 

During the troubleshooting process, this traffic is not even seen on the FortiGate. 

 

sniffer mode.PNG

 

The reason for this cause is, that NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be de multiplexedbelow is the capture taken on the ISP level showing the cause of the issue.

 

ESP block.PNG

 

ESP without NAT-T.PNG

 

To resolve this issue, make sure that NAT-T is enabled on the VPN configuration on the FortiClient as endpoints are mostly behind a NAT device.

 

VPN5.PNG

 

Results after NAT-T is enabled on the Client:

 

ping successful.PNG

 

WITH NAT-T.PNG

 

Traffic is also then observed on the FortiGate:

 

traffic sniffer.PNG

Note:

If the request is seen on the FortiGate, this should not be an issue with NAT -T, and proper troubleshooting should be done on the firewall end to see any issues related to policy, routing, etc.

 

Related article:

Technical Tip: IPSec VPN NAT-traversal