Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How do I create IPsec VPN tunnels behind port NAT routers or Dual carrier LTE routers?

I have several remote stations connected by IPsec VPN. I use a combination of FG 30e and 40f on those stations. there are several configs and most of them works fine. 
But I run into trouble when the FG needs to traverse a router that use port NAT or dual Carrier LTE.
Actually port NAT is not a problem until now, when I have to place two FG's behind the same router. So both FG's use the same external IP on the internet. I have not found a way to config this so the central FW can separate the two VPN tunnels. 
Wen using an LTE router everything woks fine until the router change carrier, and by that change its external IP. The tunnel falls down, and we have to wait until it change back to the IP of the original carrier. 
I have not been able to create a config that can use both IP's. Am I missing something?

Of course, all these problems would have gone away if I could set up the VPN-tunnel using something other than an external IP that I can't control, like a serial-number, internal IP, or whatever. 
Is there any options I'm unaware of?


Can you use Dynamic DNS instead of the IP for the VPN configuration?  Are you using a dial-up VPN from the side connected to LTE?


I need to educate me a bit about how Dynamic DNS works to answer that. To me it seems DDNS solves the problem of the FG WAN interface getting av DHCP address, which is not the case here. THe FG wan interface is a static private IP. The problem arise when the gateway either change the external IP which the VPN tunnel use, or when two of my FG's go throug the same port-nating GW and end up with the same IP for two tunnels.
There are no dialup, the connections are always up.


Yeah sounds like you will need to engage the cellular provider to remove their CG-NAT or enable some sort of passthrough/DMZ on their modem.  Not sure where you are located but in the US there are many providers who will provide a public IP directly.

New Contributor III



Have you enabled IPSec VPN passthrough on the modem? Additionally, is NAT-T enabled in the IPSec tunnel?

Additionally, you mentioned that both firewalls use the same external IP address on the internet. In this case, the Head Office firewall will receive two IPSec requests from the branch location with the same source port, which can cause duplicate requests.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors