Encapsulate ESP packets within TCP headers
FortiOS supports encapsulation of IKE and ESP packets within Transmission Control Protocol (TCP) headers, in accordance with RFC 8229. This allows IKE & ESP packets to be assigned a TCP port number that enables them to traverse over carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT. This standards-based TCP encapsulation method is also supported across multiple vendors, ensuring that you can maintain a secure and efficient network, while also having the flexibility to choose the hardware that aligns best with your requirements.
This feature only works with IKE version 2, and it does not support ADVPN or NPU offloading.
You can choose between a standards-based (RFC 8229) or Fortinet-proprietary method to encapsulate IKE and ESP traffic within TCP headers. This table compares the encapsulation methods. Using the standards-based method is recommended.
|
Encapsulation method |
Dialup IPsec VPN using FortiClient |
IPsec VPN between FortiGate to FortiGate |
IPsec VPN between FortiGate and 3rd party device |
Support TLS 1.3 |
|---|---|---|---|---|
|
RFC 8229 compliant ( |
Supported. For example, see Dialup IPsec VPN using custom TCP port. |
Supported. |
Supported. |
Yes. See TLS 1.3 based VPN over TCP. |
|
Fortinet propriety ( |
Not supported |
Supported. See VPN over TCP with Fortinet proprietary encapsulation. |
Not supported |
No |
To configure TCP encapsulation for IPsec VPN:
-
Go to VPN > VPN Tunnels and select the Settings tab.
-
Enable Allow VPN negotiation over TCP.
-
Optionally, enable TCP.
-
Optionally, change the TCP port.
-
Click OK.
To configure TCP encapsulation for IPsec VPN in the CLI:
config system settings
set ike-tcp-service {enable | disable}
set ike-tls-service {enable | disable}
set ike-tcp-port <port>
end
|
Command |
Description |
|---|---|
|
ike-tcp-service {enable | disable} |
Enable/disable the use of TCP transport for IKE and ESP. Disabled by default. This is a per-VDOM setting |
|
ike-tls-service {enable | disable} |
When ike-tcp-service is enabled, enable/disable the use of TLS 1.3 |
|
ike-tcp-port <port> |
Set the TCP port for IKE/IPsec traffic (1 - 65535, default = 443). By default, IKE listens on port 4500 when ike-tcp-port is configured as 4500. If ike-tcp-port is configured on any other port, the IKE daemon listens on port 4500 and port 11443 while traffic enters on the ike-tcp-port and redirects to port 11443 |
config vpn ipsec phase1-interface
edit <name>
set ike-version 2
set transport {auto | udp}
set fortinet-esp {enable | disable}
next
end
|
Command |
Description |
|---|---|
|
transport {auto | udp} |
This setting is only available in a site-to-site VPN configuration (type is either static or ddns). Set the IKE transport protocol:
|
|
fortinet-esp {enable | disable} |
The Fortinet propriety feature is designed to offload IPsec VPN traffic to Fortinet’s NP (Network Processor) ASICs to improve performance. This command enables or disables encapsulation of ESP (Encapsulating Security Payload) packets within non-standard TCP headers.
This feature is not supported in the following scenarios:
Make sure that this setting is disabled for these two scenarios to ensure uninterrupted ESP packet flow encapsulated within standard TCP headers. |
When using TCP port 443 for IKE/IPsec traffic, GUI access can be affected for interfaces that are bound to an IPsec tunnel when the GUI admin port is also using port 443. To ensure continued functionality, change either the IKE/IPsec port or the administrative access port. See GUI warnings for IKE-TCP port conflicts.
To change the administrative access port:
config system global
set admin-sport <port>
end
|
admin-sport <port> |
Set the administrative access port for HTTPS (1 - 65535, default = 443). |
For port conflicts with ZTNA and Agentless VPN, ZTNA and Agentless VPN will take precedence. To avoid any port conflicts with other services, review the FortiOS Ports guide for other incoming ports used on the FortiGate.