Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KVN001
New Contributor

Created on ‎08-19-2022 11:00 AM

IPSec Site-to-Site VPN between two carrier grade natted Sites possible?

Hi Community,

 

I have two sites which are both natted and I would need to establish a IPSec Site-to-Site VPN connection. Both Sites are equipped with FGT60s. Currently I'm not able to establish the connection, I would guess that the CGN is the reason for this - as a tunnel to a non-natted Site is working without any problem from both sites.

Has someone a clue for me how to achieve the connection or is this even possible? Not sure as NAT is still a thematic for me which causes my head to hurt.

 

Thanks a lot!

Labels:
4032
0 Kudos
12 REPLIES 12
aionescu
Staff
Staff

Created on ‎08-19-2022 01:00 PM

Hi @KVN001 , 

 

Welcome to the community.

It is possible to establish an site-to-site VPN between two NAT-ed FortiGates.

You should enable NAT-traversal on both peers. Please find more information at: Technical Tip: IPSec VPN nattraversal - Fortinet Community

2276
0 Kudos
KVN001
New Contributor
In response to aionescu

Created on ‎08-20-2022 02:48 AM

Hi aionescu,

 

thanks for quick reply! I already have set NAT-traversal to "Forced" (also tried with just "Enabled") but both settings arent working.

 

I can also not ping any of both sites from outside (but IP gets resolved) I guess this is also caused due to the natting of the provider(s)?

2266
0 Kudos
aionescu
Staff
Staff
In response to KVN001

Created on ‎08-22-2022 12:49 AM

Hi, can you provide the relevant configuration?

Also, the ike debug would provide some more information:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 x.x.x.x where x.x.x.x is the IP address of the remote peer.
diagnose debug application ike -1
diagnose debug enable

2247
0 Kudos
KVN001
New Contributor
In response to aionescu

Created on ‎08-24-2022 05:54 AM

Hi aionescu

 

tried the commands as you suggested, but no output was visible?

Im not that familiar with the CLI (shame I know :)) - maybe i missed something?Capture.PNG

 

Thanks!

2226
0 Kudos
aionescu
Staff
Staff
In response to KVN001

Created on ‎08-24-2022 06:20 AM Edited on ‎08-24-2022 07:58 AM

Hi, is there a route towards the remote peer? Are there policies that reference the tunnel interface?

2222
0 Kudos
sagha
Staff
Staff
In response to KVN001

Created on ‎08-22-2022 01:03 AM

Hi KVN001

 

In addition to aionescu comment, please also check if you have two way traffic on both locations.

 

diag sniffer packet any 'host x.x.x.x' 4 0 a

 

Replace x.x.x.x with public IP of remote location at each end. 

 

Thanks, 

Shahan

2246
0 Kudos
KVN001
New Contributor
In response to sagha

Created on ‎08-24-2022 05:58 AM

Hi Shahan,

 

tried your command, not sure if this helpful :)

 

Capture.PNG

 

Thanks!

2225
0 Kudos
pminarik
Staff
Staff

Created on ‎08-22-2022 01:39 AM

When you say CG-NAT, I assume that means you don't have the ability to set up VIPs/port-forwarding on either side (and therefore are unable to send arbitrary traffic from one side to the other). Is that correct?

 

If yes, then you would need to rely on some sort of UDP hole-punching to "push through", and as far as I am aware (I may be wrong!), UDP hole punching has so far only been implemented for dynamic spoke-to-spoke tunnel creation in ADVPN scenarios. (i.e. you will most likely need a central hub to help facilitate this connection)

In other words, I suspect for a simple site-to-site setup, what you want to do is not currently possible with FortiGates.

[ corrections always welcome ]
2238
KVN001
New Contributor
In response to pminarik

Created on ‎08-24-2022 06:02 AM

Hi pminarik

 

I can set VIPs and Port forwarding on the FGTs but it seems not to work. I tried forwarding a few ports to one of my servers behind the FGT and had there than a port listener running. I was not able to connect via Telnet or SSH to the open port :\

 

Interesting approach, I will read up on the topic and see if I can implement something like this!

 

Thanks!

2223
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.