Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MetFortiGatz
New Contributor

Fortigate on AWS IPSEC to Firewall OnPrem - NAT-T

Hello how are you, I hope you are very well.

 

I have a question that I would like to see if someone can help me. Thank you for your time, good vibes and collaboration.

 

Below I share a Link, where a Site to Site VPN is configured between a Fortigate on AWS and an On prem Firewall.

The Local ID and Peer ID thing is clear to me, now my question is the following.

 

As far as I was aware of using NAT traversal, when you have a device that is performing a NAT, for example, the internal firewall. This would be something, as far as I knew, similar to what AWS does with its public IPs, it does a kind of mapping, a 1:1 NAT, a forwarding to the internal resource.

 

Now this is my doubt, I would understand that there is the use of Nat-Traversal, for that condition, but there I see an example, below in the Link where they do not use it.

 

I understand that NAT traversal is mainly how the NAT device receives the UDP 500 from IPSEC, and to forward to an internal resource what it does is perform a NAT-T to forward the UDP 4500 to the equipment behind the NAT, but in this case In AWS there is no device that does this NAT, since it is only assumed because it goes from a mapping to Public IP to the internal of the Fortigate in AWS, but as you can see in none of the extremes of the example configuration it uses NAT-T, in the IPSEC Site to site VPN settings and it works perfectly.

 

So in this case it will be because when AWS maps that Public IP it is understood that there is no device that is receiving the UDP 500 therefore it forwards everything all everything, as a 1:1 NAT towards the Internal Fortigate, therefore the NAT-T ? 

 

Or those associations from AWS Public IP to AWS internal, in this case the Outside of the firewall, isn't that "association" as such a 1:1 NAT? so how does it work?

 

Thank you for your time, your good vibes and your collaboration.

 

The Link AWS Fortigate to on Prem Firewall:

https://tungle.ca/?p=1938 

 

I remain attentive to your comments, advice, recommendations, clarifications, details, everything, thank you.

 

Kind regards

 

3 REPLIES 3
kaman
Staff
Staff

Hello MetFortiGatz,

 

Network Address Translation (NAT) is a way to convert private IP addresses to publicly routable Internet addresses and vise versa. When an IP packet passes through a NAT device, the source or destination address in the IP header is modified. FortiGate units support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and compatible versions.

NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be demultiplexed. To work around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT modifications. When the Nat-traversal option is enabled, outbound encrypted packets are wrapped inside a UDP IP header that contains a port number. This extra encapsulation allows NAT devices to change the port number without modifying the IPsec packet directly.

Please refer to the below document for more understanding:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873

MetFortiGatz

Hi @kaman  , thanks for your comments.

 

My question is more focused on how AWS does it, because the Internet Gateway, from what I see, does not do a NAT when EIP maps the public IP to the Private one, that Mapping is not a NAT from what I see is a forwarding, a forwarding routing type, because if you look at the Link that I shared, if it were NAT, and therefore the Forti Firewall, is behind the NAT, NAT Traversal should be used, but if you look at the Link, they configure it and not on both peers they use NAT-Traversal.

 

That is why I mainly doubt that AWS point towards the Firewall, towards the Outside/WAN IP of the fortigate, when you hit the public IP, I thought it was doing a 1:1 NAT towards the firewall IP, but apparently it is as a forwarding at the routing level, but you know about it, that's why I have my doubts and my question. If you check the link you can see for yourself.

 

The Link AWS Fortigate to on Prem Firewall:

 

https://tungle.ca/?p=1938 

 

Stay tuned

 

Greetings

MetFortiGatz

Hello @kaman , how are you, how are you doing, what do you think with the last comment and the link, the step by step where both ends do not use NAT-T, therefore it is not behind a NAT, which I thought so, Apparently AWS performs some kind of forwarding, but not a 1:1 input Nate, but a forwarding.

 

I hope you can help me and collaborate with this concern, thank you very much for your time and your collaboration.

 

Greetings

Labels
Top Kudoed Authors