IPSec Site-to-Site VPN between two carrier grade natted Sites possible?

KVN001 · ‎08-19-2022

Hi Community,

I have two sites which are both natted and I would need to establish a IPSec Site-to-Site VPN connection. Both Sites are equipped with FGT60s. Currently I'm not able to establish the connection, I would guess that the CGN is the reason for this - as a tunnel to a non-natted Site is working without any problem from both sites.

Has someone a clue for me how to achieve the connection or is this even possible? Not sure as NAT is still a thematic for me which causes my head to hurt.

Thanks a lot!

aionescu · ‎08-19-2022

Hi @KVN001 ,

Welcome to the community.

It is possible to establish an site-to-site VPN between two NAT-ed FortiGates.

You should enable NAT-traversal on both peers. Please find more information at: Technical Tip: IPSec VPN nattraversal - Fortinet Community

KVN001 · ‎08-20-2022

Hi aionescu,

thanks for quick reply! I already have set NAT-traversal to "Forced" (also tried with just "Enabled") but both settings arent working.

I can also not ping any of both sites from outside (but IP gets resolved) I guess this is also caused due to the natting of the provider(s)?

aionescu · ‎08-22-2022

Hi, can you provide the relevant configuration?

Also, the ike debug would provide some more information:

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 x.x.x.x where x.x.x.x is the IP address of the remote peer.
diagnose debug application ike -1
diagnose debug enable

KVN001 · ‎08-24-2022

Hi aionescu

tried the commands as you suggested, but no output was visible?

Im not that familiar with the CLI (shame I know :)) - maybe i missed something?

Thanks!

aionescu · ‎08-24-2022

Hi, is there a route towards the remote peer? Are there policies that reference the tunnel interface?

sagha · ‎08-22-2022

Hi KVN001

In addition to aionescu comment, please also check if you have two way traffic on both locations.

diag sniffer packet any 'host x.x.x.x' 4 0 a

Replace x.x.x.x with public IP of remote location at each end.

Thanks,

Shahan

KVN001 · ‎08-24-2022

Hi Shahan,

tried your command, not sure if this helpful :)

Thanks!

pminarik · ‎08-22-2022

When you say CG-NAT, I assume that means you don't have the ability to set up VIPs/port-forwarding on either side (and therefore are unable to send arbitrary traffic from one side to the other). Is that correct?

If yes, then you would need to rely on some sort of UDP hole-punching to "push through", and as far as I am aware (I may be wrong!), UDP hole punching has so far only been implemented for dynamic spoke-to-spoke tunnel creation in ADVPN scenarios. (i.e. you will most likely need a central hub to help facilitate this connection)

In other words, I suspect for a simple site-to-site setup, what you want to do is not currently possible with FortiGates.

[ corrections always welcome ]

KVN001 · ‎08-24-2022

Hi pminarik

I can set VIPs and Port forwarding on the FGTs but it seems not to work. I tried forwarding a few ports to one of my servers behind the FGT and had there than a port listener running. I was not able to connect via Telnet or SSH to the open port :\

Interesting approach, I will read up on the topic and see if I can implement something like this!

Thanks!