On FortiGate NAT-T is a Setting of the IPSec Tunnel. It can be enabled in there.
I am not sure if the wizard provides that upon creating a tunnel. Maybe you have to convert it into a custom tunnel after having created it to get access to the option.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi sw2090!
Fortigate does not support work IPSEC RA via NAT?
How use ipsec client via fortigate NAT?
an IPSec always must have defined endings. So on the FGT it has to be tied to an Interface.
NAT for internet access on a FGT is done via policy so it will not affect IPSEC (unless you NAT the policy for the traffic over the IPSEC of course).
So the client will have the external ip of that interface of the FGT as remote gateway. You do not need NAT-T because your FGT Internetconnection has NAT, you need it if the client is behind a NAT.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090 wrote:Sorry, i was upload wrong image. Reuploaded.an IPSec always must have defined endings. So on the FGT it has to be tied to an Interface.
NAT for internet access on a FGT is done via policy so it will not affect IPSEC (unless you NAT the policy for the traffic over the IPSEC of course).
So the client will have the external ip of that interface of the FGT as remote gateway. You do not need NAT-T because your FGT Internetconnection has NAT, you need it if the client is behind a NAT.
My ipsec-clients are behid NAT. I Have no ipsec-config on my FGT.
ok so you are not connecting vpn to the FGT are you?
your clients want to do IPSec to something behind the FGT right?
Then you need to forward the Ports to that one:
500/udp for IPSec
4500/udp for NAT-T
except from this you don't need to set anything for IPSec or NAT-T on the FGT in this case.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
So iin your case you need a policy allow ISAKMP and ESP to the vpn-server. ALso it would be wise to make sure the "clients" have NAT-T timers set and to ensure your firewall policy is NOT expiring before the NAT-T timers. So you might need to increase the firewall policy timeout for that connection.
e.g
config firewall service custom edit "NAT-T" set comment "custom NAT-T 500sec TTL" set udp-portrange 4500 set session-ttl 500 next end
And you use that custom-service in your firewall-policy. So as long as NAT-T KeepAlives fires off before 500secs, that session will stay open.
Ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:So iin your case you need a policy allow ISAKMP and ESP to the vpn-server. ALso it would be wise to make sure the "clients" have NAT-T timers set and to ensure your firewall policy is NOT expiring before the NAT-T timers. So you might need to increase the firewall policy timeout for that connection.
e.g
config firewall service custom edit "NAT-T" set comment "custom NAT-T 500sec TTL" set udp-portrange 4500 set session-ttl 500 next end
And you use that custom-service in your firewall-policy. So as long as NAT-T KeepAlives fires off before 500secs, that session will stay open.
Ken Felix
Thanks, does NAT-T enable by default on Fortigate?
I can not edit NAT-T:
What the fortigate acts a VPN-IPsec gateway then yes NAT-T is enabled by default, but that is not the case here based on what you posted and the numerous other parts of this thread. NAT-T is not involved in your fortigate per your screenshot. NAt-T is a IKE function.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.