IPsec VPN tunnel behind NAT devices at both sites

mass1q · ‎02-19-2025

Hello,

I have 2 sites with 2 Fortigates that have both their WANs behind a NAT device. So basically at both sides I have a NAT router attached to the WAN that has a private ip. Both connections have a public static ip. Is it possible to create an IPsec VPN between the two Fortigates?

Many topics have been discussed but I cound not find a specific answer to that. From the routers is of course possible to forward any port to the WAN interface (NAT-T UDP 4500 or IPsec UDP 500 for example should be forwarded, from my understanding). But will that be enough?

UnderscoresAndDashes · ‎02-21-2025

I would think DDNS or a Dialup tunnel would be the best option.

mass1q · ‎02-21-2025

Yes I found many article about dialup tunnels when a NAT device is in front of the WAN but I came up with this article from support that seems to solve my problem:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-when-FortiGate-is-behind-NAT/ta-p/33...

Basically it should be enough to forward the required ports and enable NAT-T. I was able to bring up the tunnel after forwarding to the WAN ports 500 UDP and 4500 UDP but still struggling to forward traffic.

Toshi_Esumi · ‎02-21-2025

You still need the DDNS @UnderscoresAndDashes suggested if the public IP that your NAT/ISP router gets is not a static IP.

Toshi

mass1q · ‎02-21-2025

I have both static public IPs and overlapping subnets in the IPsec. Actually it seems to me a policy issue with routing because tunnel is up

IPsec VPN tunnel behind NAT devices at both sites

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website