[MWAN] Fortinet nat-t (#21468)

marciocloudflare · Oxyjun · web-flow · commit 49299368643a · 2025-04-07T16:43:08.000Z
* added nat-t

* refined text

* added link

* Apply suggestions from code review

Co-authored-by: Jun Lee &lt;junlee@cloudflare.com&gt;

---------

Co-authored-by: Jun Lee &lt;junlee@cloudflare.com&gt;
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx
@@ -75,6 +75,28 @@ config system settings
 end
 ```
 
+### Configure NAT-T (optional)
+
+If you have NAT traversal (NAT-T) on your network, you need to enable this feature and initiate IKE communications on port `4500`.
+
+To set the IKE port, add the following to your system settings:
+
+```txt
+config system settings
+    set ike-port 4500
+end
+```
+
+To enable NAT-T, add `set nattraversal enable` to the IPsec tunnels you are configuring.
+
+```txt
+fortigate # config vpn ipsec phase1-interface
+    edit "<NAME_OF_YOUR_TUNNEL>"
+        set nattraversal enable
+```
+
+Refer to [Fortinet's documentation](https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-NAT-traversal/ta-p/197873) for more details.
+
 ### Disable anti-replay protection
 
 For route-based IPsec configurations, you will need to disable anti-replay protection. The command below disables anti-replay protection globally, but you can also do this per firewall policy. Refer to Fortinet's documentation on [anti-replay support per policy](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-Replay-option-support-per-policy/ta-p/191435) to learn more.
