Client VPN behind NAT

Here to help

Client VPN behind NAT

I'm working through an issue with MX64 as a client VPN server behind a 3rd party (Fortigate) firewall.  I have UDP/4500 and UDP/500 forwarded from the WAN interface of the other firewall to the MX64.  I've looked at packet captures and can see the following:

1) SA completes (client to server ephemeral port 57234 to 500)

2) KE completes (ephemeral port 57234 to 500)

3) ID - client sends ID on ephemeral ports 35121 to 4500, but MX replies with source port 4500 to destination 4500 - i.e. it doesn't reply with dst port 35121 - that the session is established on - so it gets dropped.


I ran a test with another MX NATted behind another firewall, and this worked fine.  The difference was at step 3) - this MX replied from 4500 back to the ephemeral DST port (42854 in this case), then established the connection and proceeded to ESP.


My question is, in the first non-working scenario, why is the MX64 replying from 4500->4500 instead of  4500->35121? I can't fund any reason why it's not behaving in the same way as the working example. 

Kind of a big deal

My guess is it will be to do with whether the remote device has NAT traversal enabled.


If it does the MX can use the ephemeral port to reply to.  If it doesn't, then it has to use port 4500.

Thanks PhilipDAth. By the remote device do you mean the client/initiator as oppose to the server? If yes this is the weird part - it’s exactly the same device and the behaviour is different based on which server setup that it connects to. 

Kind of a big deal

You mention that you tested with another MX NATed behind another device. Is that other device also a Fortigate firewall? It’s possible that the Fortigate is detecting the L2TP/IPSec and trying to be ‘smart’ with its NAT and actually introducing a problem. I would see if there is ‘smart’/application processing on the Fortigate that you can turn-off and just let NAT be NAT.

Head in the Cloud

If you have multiple IP addresses, you can setup a DMZ port on the Fortinet and route one address through the DMZ.  You can turn off NAT and all inspection for that port.

Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.