Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.2 Administration Guide
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Encapsulate ESP packets within TCP headers NEW

Encapsulate ESP packets within TCP headers NEW

FortiOS includes a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers. This allows ESP packets to be assigned a port number, which enables them to traverse over carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.

Note

This feature only works with IKE version 2, and it does not support ADVPN.
To configure the TCP port for IKE/IPsec traffic:
config system settings
    set ike-tcp-port <integer>
end

ike-tcp-port <integer>

Set the TCP port for IKE/IPsec traffic (1 - 65535, default = 4500).
To configure ESP encapsulation on the phase 1 interface:
config vpn ipsec phase1-interface
    edit <name>
        set ike-version 2
        set transport {udp | udp-fallback-tcp | tcp}
        set fortinet-esp {enable | disable}
        set fallback-tcp-threshold <integer>
    next
end

transport {udp | udp-fallback-tcp | tcp}

Set the IKE transport protocol.

  • udp: use UDP transport for IKE.
  • udp-fallback-tcp: use UDP transport for IKE, with fallback to TCP transport.
  • tcp: use TCP transport for IKE.

fortinet-esp {enable | disable}

Enable/disable Fortinet ESP encapsulation.

fallback-tcp-threshold <integer>

Set the timeout before IKE/IPsec traffic falls back to TCP, in seconds (1 - 300, default = 15).

Example

In this example, IPsec VPN crosses over a carrier network and UDP packets are not allowed.

To encapsulate ESP packets within TCP headers:

  1. On each FortiGate, configure the IKE TCP port setting:

    config system settings
    set ike-tcp-port 1443
end

  2. Disable anti-replay in the global settings on the FGT_B (NAT) FortiGate (see step 7 for more information):

    config system global
    set anti-replay disable
    set hostname "FGT-B"
end

  3. Configure the FGT_A (spoke) FortiGate.

    1. Configure the IPsec phase 1 settings:

      config vpn ipsec phase1-interface
    edit "spoke"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set transport tcp
        set fortinet-esp enable
        set remote-gw 173.1.1.1
        set psksecret **********
    next
end

    2. Configure the IPsec phase 2 settings:

      config vpn ipsec phase2-interface
    edit "spoke"
        set phase1name "spoke"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-subnet 10.1.100.0 255.255.255.0
    next
end

      IKE and ESP will be encapsulated into TCP, and ESP packets encapsulated into a fake TCP header.

  4. Configure the FGT_C (spoke) FortiGate.

    1. Configure the IPsec phase 1 settings:

      config vpn ipsec phase1-interface
    edit "Spoke"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set transport udp-fallback-tcp
        set fortinet-esp enable
        set fallback-tcp-threshold 10
        set remote-gw 173.1.1.1
        set psksecret **********
    next
end

    2. Configure the IPsec phase 2 settings:

      config vpn ipsec phase2-interface
    edit "Spoke"
        set phase1name "Spoke"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-subnet 192.168.4.0 255.255.255.0
    next
end

      IKE will use UDP encapsulation first. If it fails to establish in 10 seconds, it will fall back to TCP. ESP packets are encapsulated into a fake TCP header.

  5. Configure the FGT_D (hub) FortiGate.

    1. Configure the IPsec phase 1 settings:

      config vpn ipsec phase1-interface
    edit "Hub"
        set type dynamic
        set interface "port25"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set transport tcp
        set fortinet-esp enable
        set psksecret **********
        set dpd-retryinterval 60
    next
end

    2. Configure the IPsec phase 2 settings:

      config vpn ipsec phase2-interface
    edit "Hub"
        set phase1name "Hub"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

  6. Verify the IPsec VPN tunnel state on FGT_D (hub):

    # diagnose vpn ike gateway list

vd: root/0
name: Hub_0
version: 2
interface: port25 33
addr: 173.1.1.1:1443 -> 173.1.1.2:23496
tun_id: 173.1.1.2/::10.0.0.4
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 733s ago
peer-id: 11.101.1.1
peer-id-auth: no
nat: peer
PPK: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 3 f050ac7a151a3b31/3b46b71108eea2e2
  direction: responder
  status: established 733-733s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: 619dfbeb679345f7-531692a72da85727
  SK_er: 5b6a1625b2ce71cf-13b339289ca99b9d
  SK_ai: a61818128c0d5390-b6d15cf9eb58e0f6-4e8c552e6265387b-4f79dc3acdd5d092
  SK_ar: 64fb56b13ee65bd2-6ea1fb268b3ffad9-818c8e4d302a1176-c8978a8ce91d9856
  PPK: no
  message-id sent/recv: 11/2
  QKD: no
  lifetime/rekey: 86400/85396
  DPD sent/recv: 0000000c/0000000c
  peer-id: 11.101.1.1

vd: root/0
name: Hub_2
version: 2
interface: port25 33
addr: 173.1.1.1:1443 -> 173.1.1.2:12186
tun_id: 10.0.0.4/::10.0.0.6
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 645s ago
peer-id: 172.16.200.3
peer-id-auth: no
nat: peer
PPK: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 17 7eb5a40cd324d2fc/f04fec6d8d77d996
  direction: responder
  status: established 645-645s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: c1fe2027086b046b-0f15c6e2d25a255d
  SK_er: 3eac9a73b4dd2961-900c0af7f0e18abf
  SK_ai: e21ca3934cca7a85-af425d12baf40693-0c30e3f6d98a6a7d-273b33cc49155092
  SK_ar: 1bef95d13784e8e1-9894c1b3628e158a-3cbfe4f7a730d9de-c9150844e3ff2002
  PPK: no
  message-id sent/recv: 10/2
  QKD: no
  lifetime/rekey: 86400/85484
  DPD sent/recv: 0000000b/0000000b
  peer-id: 172.16.200.3

  7. Verify the ESP packets sniffed on the NAT device.

    In the packet capture, ESP packets are encapsulated into TCP ACK packets with the same sequence number. This is why anti-replay must be disabled on the NAT FortiGate.

Previous
Next

Encapsulate ESP packets within TCP headers NEW

FortiOS includes a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers. This allows ESP packets to be assigned a port number, which enables them to traverse over carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.

Note

This feature only works with IKE version 2, and it does not support ADVPN.
To configure the TCP port for IKE/IPsec traffic:
config system settings
    set ike-tcp-port <integer>
end

ike-tcp-port <integer>

Set the TCP port for IKE/IPsec traffic (1 - 65535, default = 4500).
To configure ESP encapsulation on the phase 1 interface:
config vpn ipsec phase1-interface
    edit <name>
        set ike-version 2
        set transport {udp | udp-fallback-tcp | tcp}
        set fortinet-esp {enable | disable}
        set fallback-tcp-threshold <integer>
    next
end

transport {udp | udp-fallback-tcp | tcp}

Set the IKE transport protocol.

  • udp: use UDP transport for IKE.
  • udp-fallback-tcp: use UDP transport for IKE, with fallback to TCP transport.
  • tcp: use TCP transport for IKE.

fortinet-esp {enable | disable}

Enable/disable Fortinet ESP encapsulation.

fallback-tcp-threshold <integer>

Set the timeout before IKE/IPsec traffic falls back to TCP, in seconds (1 - 300, default = 15).

Example

In this example, IPsec VPN crosses over a carrier network and UDP packets are not allowed.

To encapsulate ESP packets within TCP headers:

  1. On each FortiGate, configure the IKE TCP port setting:

    config system settings
    set ike-tcp-port 1443
end

  2. Disable anti-replay in the global settings on the FGT_B (NAT) FortiGate (see step 7 for more information):

    config system global
    set anti-replay disable
    set hostname "FGT-B"
end

  3. Configure the FGT_A (spoke) FortiGate.

    1. Configure the IPsec phase 1 settings:

      config vpn ipsec phase1-interface
    edit "spoke"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set transport tcp
        set fortinet-esp enable
        set remote-gw 173.1.1.1
        set psksecret **********
    next
end

    2. Configure the IPsec phase 2 settings:

      config vpn ipsec phase2-interface
    edit "spoke"
        set phase1name "spoke"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-subnet 10.1.100.0 255.255.255.0
    next
end

      IKE and ESP will be encapsulated into TCP, and ESP packets encapsulated into a fake TCP header.

  4. Configure the FGT_C (spoke) FortiGate.

    1. Configure the IPsec phase 1 settings:

      config vpn ipsec phase1-interface
    edit "Spoke"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set transport udp-fallback-tcp
        set fortinet-esp enable
        set fallback-tcp-threshold 10
        set remote-gw 173.1.1.1
        set psksecret **********
    next
end

    2. Configure the IPsec phase 2 settings:

      config vpn ipsec phase2-interface
    edit "Spoke"
        set phase1name "Spoke"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-subnet 192.168.4.0 255.255.255.0
    next
end

      IKE will use UDP encapsulation first. If it fails to establish in 10 seconds, it will fall back to TCP. ESP packets are encapsulated into a fake TCP header.

  5. Configure the FGT_D (hub) FortiGate.

    1. Configure the IPsec phase 1 settings:

      config vpn ipsec phase1-interface
    edit "Hub"
        set type dynamic
        set interface "port25"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set transport tcp
        set fortinet-esp enable
        set psksecret **********
        set dpd-retryinterval 60
    next
end

    2. Configure the IPsec phase 2 settings:

      config vpn ipsec phase2-interface
    edit "Hub"
        set phase1name "Hub"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

  6. Verify the IPsec VPN tunnel state on FGT_D (hub):

    # diagnose vpn ike gateway list

vd: root/0
name: Hub_0
version: 2
interface: port25 33
addr: 173.1.1.1:1443 -> 173.1.1.2:23496
tun_id: 173.1.1.2/::10.0.0.4
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 733s ago
peer-id: 11.101.1.1
peer-id-auth: no
nat: peer
PPK: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 3 f050ac7a151a3b31/3b46b71108eea2e2
  direction: responder
  status: established 733-733s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: 619dfbeb679345f7-531692a72da85727
  SK_er: 5b6a1625b2ce71cf-13b339289ca99b9d
  SK_ai: a61818128c0d5390-b6d15cf9eb58e0f6-4e8c552e6265387b-4f79dc3acdd5d092
  SK_ar: 64fb56b13ee65bd2-6ea1fb268b3ffad9-818c8e4d302a1176-c8978a8ce91d9856
  PPK: no
  message-id sent/recv: 11/2
  QKD: no
  lifetime/rekey: 86400/85396
  DPD sent/recv: 0000000c/0000000c
  peer-id: 11.101.1.1

vd: root/0
name: Hub_2
version: 2
interface: port25 33
addr: 173.1.1.1:1443 -> 173.1.1.2:12186
tun_id: 10.0.0.4/::10.0.0.6
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 645s ago
peer-id: 172.16.200.3
peer-id-auth: no
nat: peer
PPK: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 17 7eb5a40cd324d2fc/f04fec6d8d77d996
  direction: responder
  status: established 645-645s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: c1fe2027086b046b-0f15c6e2d25a255d
  SK_er: 3eac9a73b4dd2961-900c0af7f0e18abf
  SK_ai: e21ca3934cca7a85-af425d12baf40693-0c30e3f6d98a6a7d-273b33cc49155092
  SK_ar: 1bef95d13784e8e1-9894c1b3628e158a-3cbfe4f7a730d9de-c9150844e3ff2002
  PPK: no
  message-id sent/recv: 10/2
  QKD: no
  lifetime/rekey: 86400/85484
  DPD sent/recv: 0000000b/0000000b
  peer-id: 172.16.200.3

  7. Verify the ESP packets sniffed on the NAT device.

    In the packet capture, ESP packets are encapsulated into TCP ACK packets with the same sequence number. This is why anti-replay must be disabled on the NAT FortiGate.

Previous
Next