Encapsulate ESP packets within TCP headers NEW
FortiOS includes a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers. This allows ESP packets to be assigned a port number, which enables them to traverse over carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.
This feature only works with IKE version 2, and it does not support ADVPN. |
To configure the TCP port for IKE/IPsec traffic:
config system settings set ike-tcp-port <integer> end
ike-tcp-port <integer> |
Set the TCP port for IKE/IPsec traffic (1 - 65535, default = 4500). |
To configure ESP encapsulation on the phase 1 interface:
config vpn ipsec phase1-interface edit <name> set ike-version 2 set transport {udp | udp-fallback-tcp | tcp} set fortinet-esp {enable | disable} set fallback-tcp-threshold <integer> next end
transport {udp | udp-fallback-tcp | tcp} |
Set the IKE transport protocol.
|
fortinet-esp {enable | disable} |
Enable/disable Fortinet ESP encapsulation. |
fallback-tcp-threshold <integer> |
Set the timeout before IKE/IPsec traffic falls back to TCP, in seconds (1 - 300, default = 15). |
Example
In this example, IPsec VPN crosses over a carrier network and UDP packets are not allowed.
To encapsulate ESP packets within TCP headers:
-
On each FortiGate, configure the IKE TCP port setting:
config system settings set ike-tcp-port 1443 end
-
Disable anti-replay in the global settings on the FGT_B (NAT) FortiGate (see step 7 for more information):
config system global set anti-replay disable set hostname "FGT-B" end
-
Configure the FGT_A (spoke) FortiGate.
-
Configure the IPsec phase 1 settings:
config vpn ipsec phase1-interface edit "spoke" set interface "wan1" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set transport tcp set fortinet-esp enable set remote-gw 173.1.1.1 set psksecret ********** next end
-
Configure the IPsec phase 2 settings:
config vpn ipsec phase2-interface edit "spoke" set phase1name "spoke" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 10.1.100.0 255.255.255.0 next end
IKE and ESP will be encapsulated into TCP, and ESP packets encapsulated into a fake TCP header.
-
-
Configure the FGT_C (spoke) FortiGate.
-
Configure the IPsec phase 1 settings:
config vpn ipsec phase1-interface edit "Spoke" set interface "wan1" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set transport udp-fallback-tcp set fortinet-esp enable set fallback-tcp-threshold 10 set remote-gw 173.1.1.1 set psksecret ********** next end
-
Configure the IPsec phase 2 settings:
config vpn ipsec phase2-interface edit "Spoke" set phase1name "Spoke" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 192.168.4.0 255.255.255.0 next end
IKE will use UDP encapsulation first. If it fails to establish in 10 seconds, it will fall back to TCP. ESP packets are encapsulated into a fake TCP header.
-
-
Configure the FGT_D (hub) FortiGate.
-
Configure the IPsec phase 1 settings:
config vpn ipsec phase1-interface edit "Hub" set type dynamic set interface "port25" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dpd on-idle set transport tcp set fortinet-esp enable set psksecret ********** set dpd-retryinterval 60 next end
-
Configure the IPsec phase 2 settings:
config vpn ipsec phase2-interface edit "Hub" set phase1name "Hub" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
-
Verify the IPsec VPN tunnel state on FGT_D (hub):
# diagnose vpn ike gateway list vd: root/0 name: Hub_0 version: 2 interface: port25 33 addr: 173.1.1.1:1443 -> 173.1.1.2:23496 tun_id: 173.1.1.2/::10.0.0.4 remote_location: 0.0.0.0 network-id: 0 transport: TCP created: 733s ago peer-id: 11.101.1.1 peer-id-auth: no nat: peer PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 3 f050ac7a151a3b31/3b46b71108eea2e2 direction: responder status: established 733-733s ago = 0ms proposal: aes128-sha256 child: no SK_ei: 619dfbeb679345f7-531692a72da85727 SK_er: 5b6a1625b2ce71cf-13b339289ca99b9d SK_ai: a61818128c0d5390-b6d15cf9eb58e0f6-4e8c552e6265387b-4f79dc3acdd5d092 SK_ar: 64fb56b13ee65bd2-6ea1fb268b3ffad9-818c8e4d302a1176-c8978a8ce91d9856 PPK: no message-id sent/recv: 11/2 QKD: no lifetime/rekey: 86400/85396 DPD sent/recv: 0000000c/0000000c peer-id: 11.101.1.1 vd: root/0 name: Hub_2 version: 2 interface: port25 33 addr: 173.1.1.1:1443 -> 173.1.1.2:12186 tun_id: 10.0.0.4/::10.0.0.6 remote_location: 0.0.0.0 network-id: 0 transport: TCP created: 645s ago peer-id: 172.16.200.3 peer-id-auth: no nat: peer PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 17 7eb5a40cd324d2fc/f04fec6d8d77d996 direction: responder status: established 645-645s ago = 0ms proposal: aes128-sha256 child: no SK_ei: c1fe2027086b046b-0f15c6e2d25a255d SK_er: 3eac9a73b4dd2961-900c0af7f0e18abf SK_ai: e21ca3934cca7a85-af425d12baf40693-0c30e3f6d98a6a7d-273b33cc49155092 SK_ar: 1bef95d13784e8e1-9894c1b3628e158a-3cbfe4f7a730d9de-c9150844e3ff2002 PPK: no message-id sent/recv: 10/2 QKD: no lifetime/rekey: 86400/85484 DPD sent/recv: 0000000b/0000000b peer-id: 172.16.200.3
-
Verify the ESP packets sniffed on the NAT device.
In the packet capture, ESP packets are encapsulated into TCP ACK packets with the same sequence number. This is why anti-replay must be disabled on the NAT FortiGate.