Hello, we had an IPSEC tunnel between two Fortigates across Starlink connection active and up.
BGP was running across this tunnel. All good, no problems.
Then suddenly three sites (Fortigates) lost their BGP connections only i.e. the IPSEC tunnels remained up.
The fix to get BGP working again was to enable 'nat traversal forced' on all participating Foritgates.
My questions are:
i) I understand how NAT traversal can fix IPSEC problems but in this case IPSEC was still up, therefore, how did enabling forced nat traversal fix BGP which was encapsulated (and protected) within the working IPSEC tunnels ?
ii) what might have suddenly changed with the Starlink service to cause problems with the IPSEC tunnel and/or BGP ?
Thank you.
Hello fran19422,
This is because of the CG-NAT used by Starlink.
You can refer below forum for more details.
https://community.fortinet.com/t5/Support-Forum/IPSEC-tunnels-behind-CGNAT-Starlink/td-p/226976
Thank you!
Greetings,
In this case, maybe it's not just the BGP. The traffic does not flow when the tunnel doesn't have NAT-T enabled.
Starlink uses Carrier-Grade NAT (CGNAT) to conserve IP addresses. This means that Starlink assigns a single public IP address to multiple customers, rather than giving each customer a unique public IP. This creates issues for traditional IPsec VPN connections, which rely on being able to route traffic directly between the two endpoints.
To overcome the CGNAT issue, the search results recommend using NAT-T (NAT Traversal) for IPsec VPNs. NAT-T encapsulates the IPsec ESP traffic inside UDP packets, which can then traverse the CGNAT gateway successfully. Without NAT-T, the IPsec VPN tunnels will not be able to be established properly.
https://www.reddit.com/r/Starlink/comments/osq7hh/starlink_ipsec_tunnel_issues/?rdt=60543
Regards!
If you have found a solution, please like and accept it to make it easily accessible to others.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.