Sorry if this was already answered. I'm having a weird issue with a Site to Site VPN where the Fortigate is sitting behind a double NAT (Carrier Grade NAT from the Provider + NAT from an LTE Modem).
The setup line diagram looks something like this:
(LAN IP 172.X.X.X) Fortigate (Public Static IP) <-> (Public IP X.X.X.X) Carrier Grade NAT <-> (Private IP 100.X.X.X) Router <-> (Private IP 192.168.2.X) Fortigate <-> (192.168.10.X) LAN Block
I am able to bring up the VPN however I am unable to pass any traffic.
I am noticing something weird on the IPSec Negotiation (but I'm not sure it matters) where the IKE establishes on port 4501. I know with NAT the alternate port used is 4500 but is it possible that with double NAT port 4501 is chosen? (just weird).
In any case, I am unable to pass traffic in either direction even though the Tunnel is established.
PS. NAT-T is enabled and has been tested as "enabled" and as "forced" and both options yield the same result.
I'm going to try an upgrade the fortigate behind the NAT to the latest version (just in case this is a known bug) but I wanted to bounce the problem to the list and see if anyone encountered this issue before.
Did you "diag debug flow" and "diag sniffer packet any "host x.x.x.x" where x.x.x.x is the remote gateway?
udp.port 4501 does not seem right can you double check that? and was anything change on any of the 2x FGT with regards to ike port that is being used? Execute "diag vpn ike gateway list" and look at the sport-dport for the peer.
BTW CGNAT should not impact you for IKE or ESP, but make sure you have proper ike-KAs setup. I would do something ridiculous like 10-15secs.
Thanks for the suggestion. I will take a look at them and provide the feedback shortly. I'm just going through the upgrade of the OS now to make sure it's not a bug in the firmware. I was on 6.0.6 before and I am going to the latest build of 6.4.5 for now.
ok. so the upgrade did not help. However the issue still persist. I have a feeling that something in between the HO Fortigate and the site Fortigate is changing the ports. I've also read a bit more about RFC 3947 and there is no mention of 4501. So I think I'm dealing with a router that's not complying with RFC 3947.
Here is a quick snippet from the Site Perspective (site behind double nat 192.168.2.100 = Outside IP of Fortigate):
It made no difference with IKE v2. What I've noticed is when I do a packet debug on the HO device I see the ICMP test traffic hitting the HO LAN through the VPN however the reply never makes it to the site.
So if I packet debug at the remote site I never see any packets coming through the VPN.
I have a feeling that the traffic is being sent back on port 4501 which goes nowhere.
I'm currently looking to replace the Router (LTE Router) with one that bridges the IP to the Fortigate so that double-nat doesn't come into play anymore and it just leaves the CGNAT only.
I have a few setups behind CGNAT and they work ok... so I have a feeling this LTE Router/Modem is problematic.