FGT 60F issue with IPSec behind double NAT
Sorry if this was already answered. I'm having a weird issue with a Site to Site VPN where the Fortigate is sitting behind a double NAT (Carrier Grade NAT from the Provider + NAT from an LTE Modem).
The setup line diagram looks something like this:
(LAN IP 172.X.X.X) Fortigate (Public Static IP) <-> (Public IP X.X.X.X) Carrier Grade NAT <-> (Private IP 100.X.X.X) Router <-> (Private IP 192.168.2.X) Fortigate <-> (192.168.10.X) LAN Block
I am able to bring up the VPN however I am unable to pass any traffic.
I am noticing something weird on the IPSec Negotiation (but I'm not sure it matters) where the IKE establishes on port 4501. I know with NAT the alternate port used is 4500 but is it possible that with double NAT port 4501 is chosen? (just weird).
In any case, I am unable to pass traffic in either direction even though the Tunnel is established.
PS. NAT-T is enabled and has been tested as "enabled" and as "forced" and both options yield the same result.
I'm going to try an upgrade the fortigate behind the NAT to the latest version (just in case this is a known bug) but I wanted to bounce the problem to the list and see if anyone encountered this issue before.