Hi

I have a Fortigate firewall with a Teltonika RUT240 in bridge mode to give the Forti 4G capability.

The RUT240 has a Vodafone SIM.

I'm trying to establish an IPSec tunnel between this Forti and another at head office.

It works if I set the head office to "dial-up", where it accepts IPSec tunnels from anywhere, and relies on the phase1 key for security.

It doesn't work if I set the head office Forti to use the DDNS registered address of the 4G connected Forti.

The IP accepted when dial-up mode is used at head office is different to the IP the 4G interface gets.

So my questions are:

Is this to be expected when using a Vodafone SIM - there's some downstream NAT modifying the IP my head office ultimately sees the IPSec connection coming from?

Is there any way, a different plan perhaps, to get around this?

I don't want to use dial-up mode as you can't aggregate dial-up tunnels on a Forti, and my policies and routes to this device have to be duplicated for the 4G backup tunnel.