Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JG-Lukas
New Contributor

Created on ‎05-10-2023 05:55 AM

FortiClient ipsec VPN over DS-Lite

Hello everyone,

 

I'm kind of curius at this point if there is any solution to this problem:

 

I have a Fortigate 60f (v7.0.10) setup to handle my ipsec VPN connections. There are site to site and end to site tunnels configured and working. The Fortigate is directly connected to the internet with a public IPv Adress.

One of the end to site VPN's is using the old Shrew Soft VPN Client and I want to switch to FortiClient. After a few frustrating failed tries to set up the tunnel I realized all the internet connections I tried used DS-Lite. When I connected my notebook with the FortiClient (v7.0.7.0345) installed over the SIM card it immediatly worked.

 

I saw for SSL VPN there is an extra configuration implemented to accept sessions over DS-Lite https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/766455/dual-stack-ipv4-and-i... .

Is there anything similar for ipsec VPN's or am I missing something?

 

The config which worked with FortiClient over the SIM card was installed over the wizard with the template "Remote Access", "Client-based", "FortiClient".

 

If you need any more information please let me know.

 

Thanks

 

Lukas

Labels:
2342
0 Kudos
4 REPLIES 4
adambomb1219
SuperUser
SuperUser

Created on ‎05-10-2023 07:21 AM

What is DS-Lite?

2332
0 Kudos
StefanH
Staff
Staff
In response to adambomb1219

Created on ‎02-20-2024 12:43 AM

Dual Stack Lite (DS-Lite) is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv4 subscribers to the Internet.
DS-Lite uses IPv4-to-IPv6 tunneling to send a subscriber's IPv4 packet to the ISP through a tunnel in the IPv6 access network.

1703
0 Kudos
gfleming
Staff
Staff

Created on ‎05-11-2023 12:29 PM

Sounds like it might be a NAT issue? Check your VPN settings. For NAT Configuration, select The remote site is behind NAT.

Cheers,
Graham
2310
0 Kudos
slemke
New Contributor II

Created on ‎08-28-2024 03:40 AM Edited on ‎08-28-2024 03:41 AM

Hello,

 

same problem here today.
After some investigating it turns out that this is an MTU / Fragmentation issue. The MTU for IPV4 pakets on DS-Lite Connections is ~30 Bytes lower.
Lowering the MTU on the network interface of the device is one option (not a good one).

 

In our configuration we checked, that IKEv1 Fragmentation for the tunnel is enabled on the Fortigate (Phase-1 Definition, 'set fragmentation enable' - it´s enabled by default) and in the Forticlient-XML configuration the 'enable_ike_fragmentation' is set to '1' (XML Configuration).

 

With this adjustment the tunnel comes up on DS-Lite connections.

 

Thanks to the Forti-Support who helped in this issue!

 

Sebastian

1094
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.