Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Data channel security: clear-text, DTLS, and IPsec VPN

Data channel security: clear-text, DTLS, and IPsec VPN

After the FortiAP joins a FortiGate, a CAPWAP tunnel is established between the FortiGate and FortiAP.

There are two channels inside the CAPWAP tunnel:

  • The control channel for managing traffic, which is always encrypted by DTLS.
  • The data channel for carrying client data packets, which can be configured to be encrypted or not.

The default setting for dtls-policy is clear-text, meaning it is non-encrypted. The following settings are available to encrypt the data channel:

  • dtls-enabled
  • ipsec-vpn
  • ipsec-vpn-sn
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy clear-text|dtls-enabled|ipsec-vpn|ipsec-vpn-sn
  next
end

Of these settings, clear-text has the highest possible data throughput. Furthermore, FortiGates with hardware acceleration chips can offload CAPWAP data traffic in clear-text and achieve much higher throughput performance (see CAPWAP Offloading).

Note

You can only configure the data channel using the CLI.

When data security is not a major concern, we recommend that you set the data channel to non-encrypted. For example, when the FortiGate and FortiAP are operating in an internal network.

To set the data channel to non-encrypted using the CLI:
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy clear-text
  next
end

Encrypting the data channel

Note

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. The settings must agree or the FortiAP unit will not be able to join the WiFi network. For more instructions on how to configure encryption on a FortiAP unit, see WiFi data channel encryption

When the FortiGate and FortiAP are in different networks, and the data channel might transit through a public network, we recommend that you encrypt the data channel to protect your data with either DTLS or IPsec VPN.

DTLS
To encrypt the data channel with DTLS using the CLI:
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy dtls-enabled
    set dtls-in-kernel disable|enable
  next
end

set dtls-in-kernel is only available after dtls-policy is set to dtls-enabled. When you enable dtls-in-kernel, the FortiAP OS kernel processes the traffic encryption and decryption, which could provide better throughput performance. DTLS encryption cannot be hardware-accelerated on the FortiGate so when DTLS is enabled, data throughput performance is significantly lower than with clear-text.

IPsec VPN
To encrypt the data channel with IPsec VPN using the CLI:
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy ipsec-vpn|ipsec-vpn-sn
  next
end

This automatically establishes an IPsec VPN tunnel between the FortiGate and FortiAP that carries CAPWAP data packets. FortiGates with NP6 chips can offload CAPWAP data traffic in IPsec, so this encryption option has better throughput performance than DTLS. Because there is no built-in hardware acceleration chip, the FortiAP is considered the performance bottleneck in this scenario.

Optionally, you can use the ipsec-vpn-sn policy instead. It also establishes an IPsec VPN tunnel between the FortiGate and FortiAP that carries CAPWAP data packets, but it includes the FortiAP serial number within this tunnel.

Data channel security: clear-text, DTLS, and IPsec VPN

Data channel security: clear-text, DTLS, and IPsec VPN

After the FortiAP joins a FortiGate, a CAPWAP tunnel is established between the FortiGate and FortiAP.

There are two channels inside the CAPWAP tunnel:

  • The control channel for managing traffic, which is always encrypted by DTLS.
  • The data channel for carrying client data packets, which can be configured to be encrypted or not.

The default setting for dtls-policy is clear-text, meaning it is non-encrypted. The following settings are available to encrypt the data channel:

  • dtls-enabled
  • ipsec-vpn
  • ipsec-vpn-sn
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy clear-text|dtls-enabled|ipsec-vpn|ipsec-vpn-sn
  next
end

Of these settings, clear-text has the highest possible data throughput. Furthermore, FortiGates with hardware acceleration chips can offload CAPWAP data traffic in clear-text and achieve much higher throughput performance (see CAPWAP Offloading).

Note

You can only configure the data channel using the CLI.

When data security is not a major concern, we recommend that you set the data channel to non-encrypted. For example, when the FortiGate and FortiAP are operating in an internal network.

To set the data channel to non-encrypted using the CLI:
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy clear-text
  next
end

Encrypting the data channel

Note

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. The settings must agree or the FortiAP unit will not be able to join the WiFi network. For more instructions on how to configure encryption on a FortiAP unit, see WiFi data channel encryption

When the FortiGate and FortiAP are in different networks, and the data channel might transit through a public network, we recommend that you encrypt the data channel to protect your data with either DTLS or IPsec VPN.

DTLS
To encrypt the data channel with DTLS using the CLI:
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy dtls-enabled
    set dtls-in-kernel disable|enable
  next
end

set dtls-in-kernel is only available after dtls-policy is set to dtls-enabled. When you enable dtls-in-kernel, the FortiAP OS kernel processes the traffic encryption and decryption, which could provide better throughput performance. DTLS encryption cannot be hardware-accelerated on the FortiGate so when DTLS is enabled, data throughput performance is significantly lower than with clear-text.

IPsec VPN
To encrypt the data channel with IPsec VPN using the CLI:
config wireless-controller wtp-profile
  edit "FortiAP-profile-name"
    set dtls-policy ipsec-vpn|ipsec-vpn-sn
  next
end

This automatically establishes an IPsec VPN tunnel between the FortiGate and FortiAP that carries CAPWAP data packets. FortiGates with NP6 chips can offload CAPWAP data traffic in IPsec, so this encryption option has better throughput performance than DTLS. Because there is no built-in hardware acceleration chip, the FortiAP is considered the performance bottleneck in this scenario.

Optionally, you can use the ipsec-vpn-sn policy instead. It also establishes an IPsec VPN tunnel between the FortiGate and FortiAP that carries CAPWAP data packets, but it includes the FortiAP serial number within this tunnel.