DescriptionThis article describes specific considerations when using the FortiExtender as a WAN link for the FortiGate running a site-to-site IPsec VPN configuration.
SolutionIPsec VPN tunnel cannot be established when FortiExtender obtains a private (non-routable) IP address.
The FortiExtender incorporates a USB modem with a SIM card, which is configured for a specific access point name (APN) specified by the wireless carrier network to determine the type of IP address obtained by the modem (that is: dynamic or static, private or public).
It is possible for the default APN provided by the wireless carrier network, set by default on the SIM card, or set by default on the USB modem will result in a private (non-routable) WAN IP address from being obtained. In this case, the remote VPN peer will not be able to successfully send replies back to the FortiGate over the FortiExtender WAN link. This inability to receive replies from the remote VPN peer results in an IPsec VPN tunnel failing to be established on the FortiGate.
The solution is to arrange with the wireless carrier network for a different APN that will result in a public (routable) WAN IP address to be obtained by the USB modem and to configure this APN on the FortiExtender.
Default MTU setting results in stalled or intermittent connectivity over the IPsec VPN tunnel.
Sometimes IPsec VPN connectivity may be stalled or intermittent when the FortiGate uses the FortiExtender as its WAN link. This is due to the default maximum transmission unit (MTU) setting on the FortiGate's FortiExtender interface that is not suitable for communication with the USB modem installed in the FortiExtender.
Therefore, the solution is to lower the MTU for the FortiExtender.
To determine the effective MTU a workstation connected to the FortiExtender via the Windows Command Prompt, use the CLI command "ping -l " where is the public IP of a host and is the potential MTU value, which is the largest value were pings still work.
Once an optimal MTU value has been determined, adjust the MTU for the FortiExtender interface as follows:
config system interface
edit fext-wan1
set mtu-override enable
set mtu <length>
end
Related Articles
Technical Note : How to adjust the Maximum Transmission Unit (MTU) value on a FortiGate interface
Technical Note: Configuring FortiExtender
