Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bognad
New Contributor

NAT-Traversal how enable on FortiGate

Hi everyone!         I use only ipsec clients on LAN. How to enable NAT-traversal on Fortigate NAT?  I have no config ipsec on my FOrtigate.

8 REPLIES 8
sw2090
Honored Contributor

On FortiGate NAT-T is a Setting of the IPSec Tunnel. It can be enabled in there. 

I am not sure if the wizard provides that upon creating a tunnel. Maybe you have to convert it into a custom tunnel after having created it to get access to the option.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Bognad
New Contributor

Hi sw2090!

Fortigate does not support work IPSEC RA via NAT?

How use ipsec client via fortigate NAT?

 

sw2090
Honored Contributor

an IPSec always must have defined endings. So on the FGT it has to be tied to an Interface. 

NAT for internet access on a FGT is done via policy so it will not affect IPSEC (unless you NAT the policy for the traffic over the IPSEC of course). 

So the client will have the external ip of that interface of the FGT as remote gateway. You do not need NAT-T because your FGT Internetconnection has NAT, you need it if the client is behind a NAT.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Bognad
New Contributor

sw2090 wrote:

an IPSec always must have defined endings. So on the FGT it has to be tied to an Interface. 

NAT for internet access on a FGT is done via policy so it will not affect IPSEC (unless you NAT the policy for the traffic over the IPSEC of course). 

So the client will have the external ip of that interface of the FGT as remote gateway. You do not need NAT-T because your FGT Internetconnection has NAT, you need it if the client is behind a NAT.

 

Sorry, i was upload wrong image. Reuploaded.

My ipsec-clients are behid NAT. I Have no ipsec-config on my FGT.

 

sw2090
Honored Contributor

ok so you are not connecting vpn to the FGT are you?

your clients want to do IPSec to something behind the FGT right?

Then you need to forward the Ports to that one:

 

500/udp for IPSec

4500/udp for NAT-T 

 

except from this you don't need to set anything for IPSec or NAT-T on the FGT in this case.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

So iin your case you need a policy allow ISAKMP and ESP to the vpn-server. ALso it would be wise to make sure the "clients" have NAT-T timers set and to ensure your firewall policy is NOT expiring before the NAT-T timers. So you might need to increase the firewall policy timeout for that connection.

 

e.g

 

config firewall service custom edit "NAT-T" set comment "custom NAT-T 500sec TTL" set udp-portrange 4500 set session-ttl 500 next end

 

And you use that custom-service in your firewall-policy. So as long as NAT-T KeepAlives fires off before 500secs, that session will stay open.

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Bognad
New Contributor

emnoc wrote:

So iin your case you need a policy allow ISAKMP and ESP to the vpn-server. ALso it would be wise to make sure the "clients" have NAT-T timers set and to ensure your firewall policy is NOT expiring before the NAT-T timers. So you might need to increase the firewall policy timeout for that connection.

 

e.g

 

config firewall service custom edit "NAT-T" set comment "custom NAT-T 500sec TTL" set udp-portrange 4500 set session-ttl 500 next end

 

And you use that custom-service in your firewall-policy. So as long as NAT-T KeepAlives fires off before 500secs, that session will stay open.

 

 

Ken Felix

 

Thanks, does NAT-T enable by default on Fortigate?

 

I can not edit NAT-T:

 

 

emnoc
Esteemed Contributor III

What the fortigate acts a VPN-IPsec gateway then yes NAT-T is enabled by default, but that is not the case here based on what you posted and the numerous other parts of this thread. NAT-T is not involved in your fortigate per your screenshot. NAt-T is a IKE function.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors