Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff
Staff

Created on ‎02-22-2024 09:29 PM

Article Id 300834

Technical Tip: How to use TCP as transport for IKE/IPsec traffic

Description

This article describes that starting from v7.4.2, a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers has been introduced.

It allows ESP packets to be assigned a port number, enabling them to traverse carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.
Scope FortiGate v7.4.2 or above.
Solution

Assume the diagram below:


diagram.png

 

  1. Create an IPsec tunnel on both FortiGates via CLI and ensure the IKE version is 2.

 

FortiGate-A:


config vpn ipsec phase1-interface
    edit "TCP_IPSEC"
        set interface "port1"
        set peertype any
        set ike-version 2
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set remote-gw 10.47.2.115
        set psksecret XXX
    next
end

FortiGate-B:


config vpn ipsec phase1-interface
    edit "TCP_IPSEC"
        set interface "port1"
        set peertype any
        set ike-version 2
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set remote-gw 10.47.2.115
        set psksecret XXX
    next
end

 

  1. Change the transport type to TCP.


config vpn ipsec phase1-interface
    edit "TCP_IPSEC"

        set transport tcp

        end

This would force the FortiGate to use TCP as the transport when sending/receiving the IKE packets for this tunnel.

  1. Enable the 'fortinet-esp'.

 

config vpn ipsec phase1-interface
    edit "TCP_IPSEC"

        set fortinet-esp enable

    end

 

  • This would force the FortiGate to use TCP as the transport when sending/receiving the ESP packets for this tunnel.
  • By default, the FortiGate will use TCP port 4500. It is possible to change this to a different port number by going to the global settings and modifying the 'ike-tcp-port' option.


config system settings
    set ike-tcp-port <integer>
end

 

Verification:

 

FortiGate-A # diagnose vpn ike gateway list

vd: root/0
name: TCP_IPSEC
version: 2
interface: port1 3
addr: 10.47.4.134:4500 -> 10.47.2.115:1265
tun_id: 10.47.2.115/::10.47.2.115
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 2589s ago
peer-id: 10.47.2.115
peer-id-auth: no
PPK: no
IKE SA: created 1/1 established 1/1 time 160/160/160 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 46 8dfbaaa88edc80a0/5f7b0e209692b481
direction: responder
status: established 2589-2589s ago = 160ms
proposal: aes128-sha256
child: no
SK_ei: 8d9660ccfe355d6a-0784d7294ccda0bb
SK_er: 6a965e82a1d16c31-6ff77b02919f43b5
SK_ai: 405c0521a1fce02a-209bbcd4cec91112-c7db90ebd6d8e398-f6a5274c037bbdac
SK_ar: f3eee165e4b19d60-e97fd94542279032-fc5f3d9bdb748405-6e58918d00e07d2e
PPK: no
message-id sent/recv: 0/2
QKD: no
lifetime/rekey: 86400/83540
DPD sent/recv: 00000000/00000000
peer-id: 10.47.2.115
752
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.