- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How do I create IPsec VPN tunnels behind port NAT ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I create IPsec VPN tunnels behind port NAT routers or Dual carrier LTE routers?
Hi.
I have several remote stations connected by IPsec VPN. I use a combination of FG 30e and 40f on those stations. there are several configs and most of them works fine.
But I run into trouble when the FG needs to traverse a router that use port NAT or dual Carrier LTE.
Actually port NAT is not a problem until now, when I have to place two FG's behind the same router. So both FG's use the same external IP on the internet. I have not found a way to config this so the central FW can separate the two VPN tunnels.
Wen using an LTE router everything woks fine until the router change carrier, and by that change its external IP. The tunnel falls down, and we have to wait until it change back to the IP of the original carrier.
I have not been able to create a config that can use both IP's. Am I missing something?
Of course, all these problems would have gone away if I could set up the VPN-tunnel using something other than an external IP that I can't control, like a serial-number, internal IP, or whatever.
Is there any options I'm unaware of?
Labels:
- Labels:
-
IPsec
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you use Dynamic DNS instead of the IP for the VPN configuration? Are you using a dial-up VPN from the side connected to LTE?
Created on 06-06-2024 04:31 AM Edited on 06-06-2024 04:41 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to educate me a bit about how Dynamic DNS works to answer that. To me it seems DDNS solves the problem of the FG WAN interface getting av DHCP address, which is not the case here. THe FG wan interface is a static private IP. The problem arise when the gateway either change the external IP which the VPN tunnel use, or when two of my FG's go throug the same port-nating GW and end up with the same IP for two tunnels.
There are no dialup, the connections are always up.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah sounds like you will need to engage the cellular provider to remove their CG-NAT or enable some sort of passthrough/DMZ on their modem. Not sure where you are located but in the US there are many providers who will provide a public IP directly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have you enabled IPSec VPN passthrough on the modem? Additionally, is NAT-T enabled in the IPSec tunnel?
Additionally, you mentioned that both firewalls use the same external IP address on the internet. In this case, the Head Office firewall will receive two IPSec requests from the branch location with the same source port, which can cause duplicate requests.
Cheers,
Cheers,
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate OSPF routes 62 Views
- Strange Problem with SD WAN -... 154 Views
- Layer3 Fortiswitch 355 Views
- Connection across Hub and Spoke BGP 366 Views
Labels
-
FortiGate
7,091 -
FortiClient
1,397 -
5.2
801 -
5.4
639 -
FortiManager
615 -
FortiAnalyzer
449 -
6.0
416 -
FortiAP
371 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
287 -
FortiMail
274 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
123 -
FortiGuard
115 -
IPsec
105 -
SSL-VPN
99 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
FortiADC
45 -
SD-WAN
44 -
Fortivoice
44 -
FortiEDR
43 -
FortiDNS
38 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiAuthenticator
33 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
High Availability
31 -
VLAN
29 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
22 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
Interface
17 -
VDOM
17 -
Routing
15 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
FortiCASB
12 -
NAT
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
FortiAP profile
5 -
Automation
5 -
OSPF
5 -
trunk
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
Intrusion prevention
4 -
FortiDeceptor
3 -
Multicast routing
3 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
Netflow
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
DLP sensor
2 -
Fabric connector
2 -
Multicast policy
1 -
4.0MR1
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP Dictionary
1 -
DLP profile
1 -
Internet Service Database
1 -
Explicit proxy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1053 | |
| 867 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.