Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎05-01-2024 10:37 AM

Article Id 312548

Technical Tip: IPsec Site-to-Site Tunnel configuration Between Sonicwall and FortiGate (behind CGNAT Starlink) - Optimal Configuration Scenario

Description This article provides a replica of a functional configuration for a site-to-site VPN that consistently encounters issues in both Phase 1 and Phase 2 negotiations when connecting between SonicWall and a FortiGate connected behind CGNAT Starlink.
Scope FortiOS, FortiGate, Sonicwall, CGNAT Starlink.
Solution

Firstly, make sure that all of the basic configuration is matching both sides using this article.

 

If the basic configuration does not help bringing the IPsec tunnel up using the above article, the following changes must be made on both sides of the tunnel:

 

  1. Enable Forced NAT Traversal (NAT-T) on both sites under VPN -> IPsec Tunnels.

  

image - 2024-05-01T131934.529.png

 

  1. Switch to IKEv1 -> Aggressive Mode:

 

image - 2024-05-01T132327.626.png

 

Test the tunnel and refer to this article to enable MTU override and disable Anti-Reply if tunnel still shows offline.

Related article:

Technical Tip: Explaining IPsec Anti-replay and preventing packet drops.
Labels:
319
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.