Skip to main content
syao
Staff & Editor
syao
Staff & Editor
February 23, 2024

Technical Tip: How to use TCP as transport for IKE/IPsec traffic

  • February 23, 2024
  • 0 replies
  • 39351 views
Description

This article describes available options for encapsulating of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers in FortiOS.

 

It allows ESP packets to be assigned a port number, enabling them to traverse carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.
Scope FortiGate v7.4.2 or above, IKEv2.
Solution

See Encapsulate ESP packets within TCP headers for comparison of the standards-based and proprietary option.

 

Option 1: TCP encapsulation using standards-based RFC 8229.

Requires FortiOS v7.4.4 or later.

 

See the article Technical Tip: How to configure FortiGate to use TCP encapsulation of IKE and IPSec packets. This is the only FortiClient-compatible TCP encapsulation option and is also recommended for FortiGate-FortiGate or FortiGate-third-party tunnels.

 

Option 2: The 'fortinet-esp' proprietary protocol.

Requires FortiOS v7.4.2 or later. Only tunnels between two FortiGates with fortinet-esp enabled are supported, and ADVPN is not supported. For a configuration example, see Encapsulate ESP packets within TCP headers.

 

Note that when fortinet-esp is enabled, the TCP headers containing ESP traffic reuse the same sequence number and may be dropped by carrier networks that block TCP replay traffic. If ESP packets are not arriving on the remote FortiGate, use option 1.

 

Default IKE TCP port:

By default, the FortiGate uses TCP port 4500. It is possible to change this to a different port number by going to the global settings and modifying the 'ike-tcp-port' option.


config system settings
    set ike-tcp-port <integer>
end

 

Note that changing ike-tcp-port bounces all IPsec tunnels. In production, changing the TCP port can cause interruption in IPsec traffic and require 'diagnose vpn ike restart' to bring the tunnel back.

 

In FortiOS v7.6.1 and above, TCP port 443 is used by default to encapsulate ESP packets within TCP headers.

 

Notes:

  1. For Windows, Windows Server, and MacOS, FortiClient VPN-only versions 7.4.3+ will no longer support IPsec over TCP. See the FortiClient standalone and licensed version feature comparison.
  2. Caution regarding the usage of IKE over TCP: it should only be used when UDP ports 500/4500 are blocked. IKE TCP can significantly impact performance, as tunnels cannot be offloaded, and traffic is processed in the CPU user space. The IKE daemon runs as a single process, making it prone to reaching high CPU utilization (up to 99%) when IKE over TCP is enabled.

  3. Starting from FortiOS v7.6.5, IPsec VPN supports IKE negotiation over UDP port 443. This capability enables seamless migration of SSL VPN users who previously relied on DTLS over UDP/443 for connectivity. For additional details, see this document: Allow UDP port 443 for dial-up IPsec VPN.

 

Related documents:
Technical Tip: How to use TCP as the failback transport for IKE

Technical Tip: How to configure FortiGate to use TCP encapsulation of IKE and IPsec packets

IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1

GUI warnings for IKE-TCP port conflicts 7.6.3

Technical Tip: Dial-up VPN IPsec over TCP best practices
      Terms & ConditionsAccessibility statement