VPN NAT Traversal when both USG are behind CGNAT with unpredictable source port

PeterUK
PeterUK Posts: 3,459  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited July 2 in Security Ideas

I'm not sure this will happen due to how it can only be done where by both ends are behind CGNAT with no incoming allowed and unpredictable source port mapping but here is one hell of a way to do it! Not 100% sure it would work.

Here how port 500 Traversal would go then the same for 4500

1 votes

Active · Last Updated

Comments

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So after going through how it work it don't then relooked to how might of worked but it ended up being impossible so one end source port must be true on one side

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So this is the best that can be done where both end are CGNAT no incoming allowed and one side has source port that are true.

  • Aballo
    Aballo Posts: 9  Freshman Member
    First Comment

    Hello,

    Actually we've got an Ipsec tunnel using 2 USG Flex behind fiber.

    We would like to use a starlink (Router bepassed) in case of fail of fiber.

    Actually Starlink is only used for internet surfing (and working well)

    I show your explanation but don't understand how to configure it.

    Thank's for your help.

    Lilian.

  • Aballo
    Aballo Posts: 9  Freshman Member
    First Comment

    Hello,

    Actually we've got an Ipsec tunnel using 2 USG Flex behind fiber on each side.

    We would like to use a starlink (actually bypass mode) in case of fail of fiber on one side.

    How to handle starlink CGNAT ?

    Thank's for your help.

    Lilian.