Assume the diagram below:
- Create an IPsec tunnel on both FortiGates via CLI and ensure the IKE version is 2.
FortiGate-A:
config vpn ipsec phase1-interface edit "TCP_IPSEC" set interface "port1" set peertype any set ike-version 2 set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set remote-gw 10.47.2.115 set psksecret XXX next end
FortiGate-B:
config vpn ipsec phase1-interface edit "TCP_IPSEC" set interface "port1" set peertype any set ike-version 2 set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set remote-gw 10.47.2.115 set psksecret XXX next end
- Change the transport type to TCP.
config vpn ipsec phase1-interface edit "TCP_IPSEC"
set transport tcp
end
This would force the FortiGate to use TCP as the transport when sending/receiving the IKE packets for this tunnel.
- Enable the 'fortinet-esp'.
config vpn ipsec phase1-interface edit "TCP_IPSEC"
set fortinet-esp enable
end
- This would force the FortiGate to use TCP as the transport when sending/receiving the ESP packets for this tunnel.
- By default, the FortiGate will use TCP port 4500. It is possible to change this to a different port number by going to the global settings and modifying the 'ike-tcp-port' option.
config system settings set ike-tcp-port <integer> end
Verification:
FortiGate-A # diagnose vpn ike gateway list
vd: root/0 name: TCP_IPSEC version: 2 interface: port1 3 addr: 10.47.4.134:4500 -> 10.47.2.115:1265 tun_id: 10.47.2.115/::10.47.2.115 remote_location: 0.0.0.0 network-id: 0 transport: TCP created: 2589s ago peer-id: 10.47.2.115 peer-id-auth: no PPK: no IKE SA: created 1/1 established 1/1 time 160/160/160 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 46 8dfbaaa88edc80a0/5f7b0e209692b481 direction: responder status: established 2589-2589s ago = 160ms proposal: aes128-sha256 child: no SK_ei: 8d9660ccfe355d6a-0784d7294ccda0bb SK_er: 6a965e82a1d16c31-6ff77b02919f43b5 SK_ai: 405c0521a1fce02a-209bbcd4cec91112-c7db90ebd6d8e398-f6a5274c037bbdac SK_ar: f3eee165e4b19d60-e97fd94542279032-fc5f3d9bdb748405-6e58918d00e07d2e PPK: no message-id sent/recv: 0/2 QKD: no lifetime/rekey: 86400/83540 DPD sent/recv: 00000000/00000000 peer-id: 10.47.2.115
|