Meraki

Community

Client VPN behind NAT

Proxy
Here to help
‎Jan 3 2021 11:45 AM
‎Jan 3 2021 11:45 AM

Client VPN behind NAT

I'm working through an issue with MX64 as a client VPN server behind a 3rd party (Fortigate) firewall.  I have UDP/4500 and UDP/500 forwarded from the WAN interface of the other firewall to the MX64.  I've looked at packet captures and can see the following:

1) SA completes (client to server ephemeral port 57234 to 500)

2) KE completes (ephemeral port 57234 to 500)

3) ID - client sends ID on ephemeral ports 35121 to 4500, but MX replies with source port 4500 to destination 4500 - i.e. it doesn't reply with dst port 35121 - that the session is established on - so it gets dropped.

 

I ran a test with another MX NATted behind another firewall, and this worked fine.  The difference was at step 3) - this MX replied from 4500 back to the ephemeral DST port (42854 in this case), then established the connection and proceeded to ESP.

 

My question is, in the first non-working scenario, why is the MX64 replying from 4500->4500 instead of  4500->35121? I can't fund any reason why it's not behaving in the same way as the working example. 

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 4 2021 1:03 PM
‎Jan 4 2021 1:03 PM

My guess is it will be to do with whether the remote device has NAT traversal enabled.

 

If it does the MX can use the ephemeral port to reply to.  If it doesn't, then it has to use port 4500.

0 Kudos
In response to PhilipDAth
Proxy
Here to help
‎Jan 4 2021 1:19 PM
‎Jan 4 2021 1:19 PM

Thanks PhilipDAth. By the remote device do you mean the client/initiator as oppose to the server? If yes this is the weird part - it’s exactly the same device and the behaviour is different based on which server setup that it connects to. 

0 Kudos
In response to Proxy
Bruce
Kind of a big deal
‎Jan 4 2021 2:04 PM
‎Jan 4 2021 2:04 PM

You mention that you tested with another MX NATed behind another device. Is that other device also a Fortigate firewall? It’s possible that the Fortigate is detecting the L2TP/IPSec and trying to be ‘smart’ with its NAT and actually introducing a problem. I would see if there is ‘smart’/application processing on the Fortigate that you can turn-off and just let NAT be NAT.

0 Kudos
In response to Bruce
DHAnderson
Head in the Cloud
‎Jan 6 2021 8:29 PM
‎Jan 6 2021 8:29 PM

If you have multiple IP addresses, you can setup a DMZ port on the Fortinet and route one address through the DMZ.  You can turn off NAT and all inspection for that port.

Dave Anderson
0 Kudos
Impo139115
New here
‎Mar 13 2024 4:41 PM
‎Mar 13 2024 4:41 PM

Revising this old thread. I'm having the same exact issue when a client is behind a FortiGate firewall. Has there been any update on this?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.