Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thehaw
New Contributor

FGT 60F issue with IPSec behind double NAT

Hello All,

 

Sorry if this was already answered.  I'm having a weird issue with a Site to Site VPN where the Fortigate is sitting behind a double NAT (Carrier Grade NAT from the Provider + NAT from an LTE Modem).  

The setup line diagram looks something like this:

(LAN IP 172.X.X.X) Fortigate (Public Static IP)  <-> (Public IP X.X.X.X) Carrier Grade NAT <-> (Private IP 100.X.X.X) Router <-> (Private IP 192.168.2.X) Fortigate <-> (192.168.10.X) LAN Block 

 

I am able to bring up the VPN however I am unable to pass any traffic.  

I am noticing something weird on the IPSec Negotiation (but I'm not sure it matters) where the IKE establishes on port 4501. I know with NAT the alternate port used is 4500 but is it possible that with double NAT port 4501 is chosen?  (just weird).

 

In any case, I am unable to pass traffic in either direction even though the Tunnel is established.  

 

Any suggestions?  

PS.  NAT-T is enabled and has been tested as "enabled" and as "forced" and both options yield the same result. 

 

I'm going to try an upgrade the fortigate behind the NAT to the latest version (just in case this is a known bug) but I wanted to bounce the problem to the list and see if anyone encountered this issue before.

 

Thank you!

Adrian

8 REPLIES 8
thehaw
New Contributor

Forgot to mention, I do have the static Routes in place and the Policies allowing bi-directional traffic to and from the VPN to the LAN Zone.

emnoc
Esteemed Contributor III

Did you "diag debug flow" and "diag sniffer packet any "host x.x.x.x" where x.x.x.x is the remote gateway?

 

udp.port 4501 does not seem right can you double check that? and was anything change on any of the 2x FGT with regards to ike port that is being used? Execute "diag vpn ike gateway list" and look at the sport-dport for the peer.

 

 

BTW CGNAT should not impact you for IKE or ESP, but make sure you have proper ike-KAs setup. I would do something ridiculous like 10-15secs.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
thehaw
New Contributor

Thanks for the suggestion.  I will take a look at them and provide the feedback shortly.  I'm just going through the upgrade of the OS now to make sure it's not a bug in the firmware.  I was on 6.0.6 before and I am going to the latest build of 6.4.5 for now.

thehaw
New Contributor

ok.  so the upgrade did not help.  However the issue still persist.  I have a feeling that something in between the HO Fortigate and the site Fortigate is changing the ports.  I've also read a bit more about RFC 3947 and there is no mention of 4501.  So I think I'm dealing with a router that's not complying with RFC 3947. 

 

Here is a quick snippet from the Site Perspective (site behind double nat 192.168.2.100 = Outside IP of Fortigate):

+++++++++++++++++++++++++++++++++

name=TEST_VPN ver=1 serial=2 192.168.2.100:4500->X.X.X.X:4500 dst_mtu=1500 bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=13 ilast=9 olast=9 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=TEST_VPN proto=0 sa=1 ref=2 serial=2 auto-negotiate

+++++++++++++++++++++++++++++++++

 

and here is the same command from the HO Perspective: (Y.Y.Y.Y is the GNAT IP)

+++++++++++++++++++++++++++++++++

name=TEST_VPN ver=1 serial=1a X.X.X.X:4500->Y.Y.Y.Y:4501 dst_mtu=1492 bound_if=54 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=TEST_VPN index=0 proxyid_num=1 child_num=0 refcnt=9 ilast=58 olast=58 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=1 natt: mode=silent draft=32 interval=10 remote_port=4501 proxyid=Orsitel_TEST proto=0 sa=1 ref=2 serial=1 add-route

+++++++++++++++++++++++++++++++++

 

I was able to see the same behaviour with non-Fortigate equipment also... so the conclusion is that somewhere between the GNAT and the Remote Fortigate something is not compliant.  

I'll start with getting the customer to replace the Router in-between.

emnoc
Esteemed Contributor III

Can you try IKEv2 and update if this resolves the issue?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
thehaw
New Contributor

It made no difference with IKE v2.  What I've noticed is when I do a packet debug on the HO device I see the ICMP test traffic hitting the HO LAN through the VPN however the reply never makes it to the site. 

So if I packet debug at the remote site I never see any packets coming through the VPN.

  

I have a feeling that the traffic is being sent back on port 4501 which goes nowhere.

 

I'm currently looking to replace the Router (LTE Router) with one that bridges the IP to the Fortigate so that double-nat doesn't come into play anymore and it just leaves the CGNAT only.

 

I have a few setups behind CGNAT and they work ok... so I have a feeling this LTE Router/Modem is problematic.

Toshi_Esumi
Esteemed Contributor III

I would contact the carrier first to ask if they're changing/filtering UDP 4500.

emnoc
Esteemed Contributor III

I highly doubt they are changing the dst-port, the src-port can be any port greater than 0 for NAT-T isakmp.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors