From 6ef41456f40f4b542a7855eeefff3c8eba4ef1a9 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 31 Mar 2025 14:48:47 +0100 Subject: [PATCH 1/4] added nat-t --- .../configuration/manually/third-party/fortinet.mdx | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx index 5a6f4d426251a83..bff3af73bad6e4b 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx @@ -75,6 +75,17 @@ config system settings end ``` +### Configure NAT-T (optional) + +If you have NAT traversal (NAT-T) on your network you need to enable this feature and initiate IKE communications on port `4500`. + +```txt +config system settings + set ike-port 4500 + set nattraversal enable +end +``` + ### Disable anti-replay protection For route-based IPsec configurations, you will need to disable anti-replay protection. The command below disables anti-replay protection globally, but you can also do this per firewall policy. Refer to Fortinet's documentation on [anti-replay support per policy](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-Replay-option-support-per-policy/ta-p/191435) to learn more. From 44a98ba20f9455c7914f180f9165d7897153ec46 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 17:00:13 +0100 Subject: [PATCH 2/4] refined text --- .../configuration/manually/third-party/fortinet.mdx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx index bff3af73bad6e4b..950d05d75fa3eca 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx @@ -79,13 +79,22 @@ end If you have NAT traversal (NAT-T) on your network you need to enable this feature and initiate IKE communications on port `4500`. +To set the IKE port add the following to your system settings: + ```txt config system settings set ike-port 4500 - set nattraversal enable end ``` +To enable NAT-T add `set nattraversal enable` to the IPsec tunnels you are configuring. + +```txt +fortigate # config vpn ipsec phase1-interface + edit "" + set nattraversal enable +``` + ### Disable anti-replay protection For route-based IPsec configurations, you will need to disable anti-replay protection. The command below disables anti-replay protection globally, but you can also do this per firewall policy. Refer to Fortinet's documentation on [anti-replay support per policy](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-Replay-option-support-per-policy/ta-p/191435) to learn more. From a559e2edee016aa8a8c54d2dfa549f67fd5419bd Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 17:05:29 +0100 Subject: [PATCH 3/4] added link --- .../magic-wan/configuration/manually/third-party/fortinet.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx index 950d05d75fa3eca..dee70ba800042b0 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx @@ -95,6 +95,8 @@ fortigate # config vpn ipsec phase1-interface set nattraversal enable ``` +Refer to [Fortinet's documentation](https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-NAT-traversal/ta-p/197873) for more details. + ### Disable anti-replay protection For route-based IPsec configurations, you will need to disable anti-replay protection. The command below disables anti-replay protection globally, but you can also do this per firewall policy. Refer to Fortinet's documentation on [anti-replay support per policy](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-Replay-option-support-per-policy/ta-p/191435) to learn more. From 492470258fd1c4dd1049e2d8ee7d1650f5afdade Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Mon, 7 Apr 2025 17:26:33 +0100 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Jun Lee --- .../configuration/manually/third-party/fortinet.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx index dee70ba800042b0..d8d6fbca48fd0d9 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx @@ -77,9 +77,9 @@ end ### Configure NAT-T (optional) -If you have NAT traversal (NAT-T) on your network you need to enable this feature and initiate IKE communications on port `4500`. +If you have NAT traversal (NAT-T) on your network, you need to enable this feature and initiate IKE communications on port `4500`. -To set the IKE port add the following to your system settings: +To set the IKE port, add the following to your system settings: ```txt config system settings @@ -87,7 +87,7 @@ config system settings end ``` -To enable NAT-T add `set nattraversal enable` to the IPsec tunnels you are configuring. +To enable NAT-T, add `set nattraversal enable` to the IPsec tunnels you are configuring. ```txt fortigate # config vpn ipsec phase1-interface