Issue with IPsec Connection to FortiGate Behind NAT - vyOS 1.4 (set vpn ipsec nat-traversal 'enable' not available)

fdervisi · June 5, 2024, 6:01pm

Hello VyOS Community,

I’m experiencing difficulties establishing an IPsec connection between my VyOS router and a remote FortiGate device that is behind NAT. Despite several configuration attempts, the connection is not coming up. Below are the details of my setup and the configuration on both ends.

VyOS Configuration:

IPsec Configuration on VyOS:

set vpn ipsec authentication psk FORTIGATE id '1.1.1.1'
set vpn ipsec authentication psk FORTIGATE secret 'YourPresharedKeyHere'
set vpn ipsec esp-group FORTIGATE lifetime '28800'
set vpn ipsec esp-group FORTIGATE mode 'tunnel'
set vpn ipsec esp-group FORTIGATE pfs 'dh-group14'
set vpn ipsec esp-group FORTIGATE proposal 1 encryption 'aes256'
set vpn ipsec esp-group FORTIGATE proposal 1 hash 'sha256'
set vpn ipsec ike-group FORTIGATE dead-peer-detection action 'clear'
set vpn ipsec ike-group FORTIGATE key-exchange 'ikev2'
set vpn ipsec ike-group FORTIGATE lifetime '86400'
set vpn ipsec ike-group FORTIGATE proposal 1 dh-group '14'
set vpn ipsec ike-group FORTIGATE proposal 1 encryption 'aes256'
set vpn ipsec ike-group FORTIGATE proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer FORTIGATE authentication local-id '1.1.1.1'
set vpn ipsec site-to-site peer FORTIGATE authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer FORTIGATE authentication remote-id '169.254.254.1'
set vpn ipsec site-to-site peer FORTIGATE connection-type 'initiate'
set vpn ipsec site-to-site peer FORTIGATE ike-group 'FORTIGATE'
set vpn ipsec site-to-site peer FORTIGATE ikev2-reauth 'no'
set vpn ipsec site-to-site peer FORTIGATE local-address '1.1.1.1'
set vpn ipsec site-to-site peer FORTIGATE remote-address '2.2.2.2'
set vpn ipsec site-to-site peer FORTIGATE tunnel 1 esp-group 'FORTIGATE'
set vpn ipsec site-to-site peer FORTIGATE tunnel 1 protocol 'gre'

FortiGate Configuration:

Phase 1 Configuration:

config vpn ipsec phase1-interface
    edit "vyOS"
        set interface "vlink-iface1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set dhgrp 14
        set remote-gw 1.1.1.1
        set psksecret 'YourPresharedKeyHere'
        set dpd-retrycount 4
        set dpd-retryinterval 15
    next
end

Phase 2 Configuration:

config vpn ipsec phase2-interface
    edit "vyOS"
        set phase1name "vyOS"
        set proposal aes256-sha256
        set dhgrp 14
        set keylifeseconds 28800
    next
end

Debugging Information:

I’ve enabled detailed logging on the VyOS router and observed repeated messages indicating that the FortiGate is initiating an IKE_SA, but the connection is not established. Here is a snippet from the logs:

Jun  5 17:40:28 vyOS-Router-Router charon-systemd[2886]: 2.2.2.2 is initiating an IKE_SA
Jun  5 17:40:30 vyOS-Router-Router charon-systemd[2886]: 2.2.2.2 is initiating an IKE_SA
...

Questions Taken:

Do I need to enalbe on the vyOS router NAT Traversal (NAT-T)? If yes how?
I have no firewall in place
I Double-checked that the pre-shared key and IKE/ESP settings match on both sides.

Request for Assistance:

Could anyone offer advice on further troubleshooting steps or potential configuration changes to resolve this issue? Any insights on how to properly establish this IPsec connection given the FortiGate is behind NAT would be greatly appreciated.

Thank you in advance for your help!

Best regards,
F.

fdervisi · June 5, 2024, 8:00pm

Some more info:

vyOS-Router charon: 10[NET] <FORTIGATE|893> sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
vyOS-Router charon-systemd[2892]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
vyOS-Router charon: 10[ENC] <FORTIGATE|893> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
vyOS-Router charon-systemd[2892]: no shared key found for '%any' - '169.254.254.1'
vyOS-Router charon: 10[IKE] <FORTIGATE|893> no shared key found for '%any' - '169.254.254.1'
vyOS-Router charon-systemd[2892]: selected peer config 'FORTIGATE'
vyOS-Router charon: 10[CFG] <FORTIGATE|893> selected peer config 'FORTIGATE'

Also I can’t find the command set vpn ipsec nat-traversal 'enable' in vyos 1.4!?

I found this post, it tells that pre-shared key is not possible when one side is behind NAT, is this still the case?

tjh · June 5, 2024, 8:59pm

It looks like you’ve got some sort of auth problem.
But for a site behind NAT you should try

set vpn ipsec site-to-site peer FORTIGATE force-udp-encapsulation

“force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them”

I’m not much of an IPSEC Expert, so I can’t really provide you with much other useful feedback/answers I’m sorry.

16again · June 10, 2024, 6:12am

Seems like 1.1.1.1 is VyOS side ! Try 2.2.2.2 or 169.254 address instead.