Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Tunneling protocol and encapsulation

    Tunneling protocol and encapsulation

    Fortinet’s IPsec VPN offers the following options for tunneling and encapsulation:

    • Native ESP

    • UDP encapsulation

    • TCP encapsulation with Fortinet proprietary extension

    • TCP encapsulation using RFC 8229

    • TCP encapsulation using RFC 8229 with TLS 1.3

    When ESP is used without encapsulation, it connects directly over IP Protocol 50. When ESP is encapsulated within UDP, it uses UDP/500 and UDP/4500 for NAT traversal, which are the options for dialup IPsec VPN. Furthermore the port can be modified on a per-VDOM basis.

    FortiGate can also operate in an Auto-transport mode where UDP will be attempted first before failing over to TCP or TCP with TLS. By default, TCP encapsulation and Auto-transport is disabled per VDOM. However, once enabled, tunnels can be changed to use Auto-transport mode.

    This allows IPsec to encapsulate ESP packets within TCP and operate on TCP port 443 (default), enabling ESP packets to traverse carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.

    This feature requires using IKE version 2. For remote access over dialup tunnels, it also requires FortiClient 7.4.1 or later.

    Tunnel and encapsulation settings

    In the GUI, go to VPN > VPN Tunnels and select the Settings tab:

    In the CLI:

    config system settings
    set ike-tcp-service {enable | disable}
    set ike-tls-service {enable | disable}
end

    Both settings are per-vdom settings to control whether IKE over TCP and TLS is used in VPN tunnels. These settings are disabled by default.

    When ike-tcp-service is enabled, dialup VPNs configured in the VDOM will behave as the Auto transport option - transport over UDP will be preferred, but when the IKE connection cannot be made over UDP, communication will be attempted in TCP or TLS. For site-to-site VPNs, you must set the transport option to Auto to use TCP or TLS.

    When disabled (default), dialup VPNs will not attempt to connect over TCP.

    Upgrading from 7.6 and lower:

    1. If a dynamic-type dialup VPN with auto or TCP transport mode exists, the ike-tcp-service setting is enabled for the VDOM.

    2. If a static VPN with TCP transport mode exists, the ike-tcp-service setting is enabled for the VDOM.

    3. If a static VPN with auto transport mode exists, that VPN will be changed to use transport UDP.

    For more information:

    Previous
    Next

    More Links

    FortiClient - IPsec VPN over TCP

    Tunneling protocol and encapsulation

    Tunneling protocol and encapsulation

    Fortinet’s IPsec VPN offers the following options for tunneling and encapsulation:

    • Native ESP

    • UDP encapsulation

    • TCP encapsulation with Fortinet proprietary extension

    • TCP encapsulation using RFC 8229

    • TCP encapsulation using RFC 8229 with TLS 1.3

    When ESP is used without encapsulation, it connects directly over IP Protocol 50. When ESP is encapsulated within UDP, it uses UDP/500 and UDP/4500 for NAT traversal, which are the options for dialup IPsec VPN. Furthermore the port can be modified on a per-VDOM basis.

    FortiGate can also operate in an Auto-transport mode where UDP will be attempted first before failing over to TCP or TCP with TLS. By default, TCP encapsulation and Auto-transport is disabled per VDOM. However, once enabled, tunnels can be changed to use Auto-transport mode.

    This allows IPsec to encapsulate ESP packets within TCP and operate on TCP port 443 (default), enabling ESP packets to traverse carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.

    This feature requires using IKE version 2. For remote access over dialup tunnels, it also requires FortiClient 7.4.1 or later.

    Tunnel and encapsulation settings

    In the GUI, go to VPN > VPN Tunnels and select the Settings tab:

    In the CLI:

    config system settings
    set ike-tcp-service {enable | disable}
    set ike-tls-service {enable | disable}
end

    Both settings are per-vdom settings to control whether IKE over TCP and TLS is used in VPN tunnels. These settings are disabled by default.

    When ike-tcp-service is enabled, dialup VPNs configured in the VDOM will behave as the Auto transport option - transport over UDP will be preferred, but when the IKE connection cannot be made over UDP, communication will be attempted in TCP or TLS. For site-to-site VPNs, you must set the transport option to Auto to use TCP or TLS.

    When disabled (default), dialup VPNs will not attempt to connect over TCP.

    Upgrading from 7.6 and lower:

    1. If a dynamic-type dialup VPN with auto or TCP transport mode exists, the ike-tcp-service setting is enabled for the VDOM.

    2. If a static VPN with TCP transport mode exists, the ike-tcp-service setting is enabled for the VDOM.

    3. If a static VPN with auto transport mode exists, that VPN will be changed to use transport UDP.

    For more information:

    Previous
    Next