Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ABE_63
New Contributor III

4G sim only has private IP address, VPN from working

I have been experimenting with different sim card vendors in a Fortigate 60F-3G/4G. I have been trying to establish a remote access VPN connection to fortigate over 4G. So far I have been able to create a VPN connection locally so I know I understand the process and how it should work. I have also managed to get this working when the Fortigate is connected to the internet on it's WAN1 interface. I noticed when I insert a sim card, unlike the WAN 1 interface, the sim card interface (WWAN) receives a private IP address.

I have tried:

Vodafone: APN wap.vodafone.co.uk 

O2: APN payandgo.o2.co.uk

3: automatically assign APN

 

Vodaphone sim was a pay monthly, I tried with both pay monthly and pay as you go O2 sim and the 3 sim was pay as you go. On all sim's i can ping out to the internet from the Fortigate just fine. 

 

I've also tried using DDNS (use public IP) with no joy. Any help is greatly appreciated!

5 REPLIES 5
AEK
Honored Contributor II

If I understand well, such sim is good for client applications (web browsing and so) but not for server apps, since your provider gives you a private address, so I guess it is not suitable for VPN server.

AEK
AEK
adambomb1219
Contributor III

Almost all cellular carriers use CG-NAT.  You will need to request your provider to give you a public IP directly to your SIM Card.
What do you need inbound for on the cellular interface?  Cellular failover is not typically a solution for inbound public connectivity. 

ABE_63
New Contributor III

Provider has said I need an IOT sim. Not entirely sure what the difference is but I'm guessing it's one that has a publicly assigned IP as opposed to CG-NAT.

 

Inbound on cellular is so i can make a secure connection to a moving vehicle when out of WiFi range.

adambomb1219

Yeah only your provider can answer these questions.  But why not then build an outbound IPSec tunnel then?

Toshi_Esumi
Esteemed Contributor III

I don't know UK situations. But in the US, we can get routable static IP services with separate APNs at least from "big three" carriers (VZW, AT&T, T-Mobile). You need to pay extra monthly in addition you might need to have a business account with them (cost a chuck at the beginning).
I would try ask your carrier if that's an option.

 

Toshi

Labels
Top Kudoed Authors