Technical Tip: IPsec tunnel for FortiAP devices, detailed explanation

Description

This article describes how to use an IPsec management tunnel for a remote FortiAP.

Scope

FortiGate as Wireless Controller, all FortiAP devices.

Solution

Along with the traditional CAWAP tunnel method for provisioning and transmitting Wi-Fi client data traffic to and from wireless controllers, FortiGate and FortiAPs can use the following encryption mechanisms, DTLS and IPSEC.

This is a quick example of how to create an IPSEC-enabled AP profile and apply it to a FortiAP device:

config wireless-controller wtp-profile
    edit "example"

        set dtls-policy ipsec-vpn <---

end

config wireless-controller wtp

    edit "FPXXXXXXXX"
        set wtp-profile "example"
end
    next

end

After a successful discovery of a FortiAP device with IPsec enabled, FortiGate will automatically create a VPN IPsec phase1 interface, VPN IPsec phase 2 interfaces for a dial Ipsec Group 'wlc-group' that includes a 'wlc-user', firewalls rules, all associated at FortiAP management interface on a FortiGate. That will be necessary to allow the feature work as intended.

It is easy to identify this by a comment included on those automatic configurations: 'Do NOT edit. Automatically generated by wireless controller'.

This is an example of those configs:

config vpn ipsec phase1-interface
...
    edit "wlc-00XX.00"
        set type dynamic
        set interface "FGT_fap_ Management"
        set local-gw 1.1.1.1
        set mode aggressive
        set peertype one
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dpd on-idle
        set comments "Do NOT edit. Automatically generated by wireless controller."
        set dhgrp 20
        set xauthtype auto
        set authusrgrp "wlc-group"
        set peerid "wlc-00XX.00"
        set ipv4-start-ip 169.254.0.2
        set ipv4-end-ip 169.254.0.254
        set dns-mode auto
        set psksecret ENC
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
...
    edit "wlc-00XX.00"
        set phase1name "wlc-00XX.00"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 20
        set comments "Do NOT edit. Automatically generated by wireless controller."
    next

config firewall policy
    edit 6
        set name "wlc-00XX.00"
        set uuid 5513d1d4-fe75-51ee-b88c-4507f59356de
        set srcintf "wlc-00XX.00"
        set dstintf "FGT_fap_ Management"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set comments "Do NOT edit. Automatically generated by wireless controller."
    next

Do not edit or change any of these parameters, it will prevent any FortiAP that uses IPsec for management and data traffic from connecting to FortiGate.

It is possible to see on the FortiGate system the following logs for those configuration events, after a change of any wtp-profile that includes 'set dtls-policy ipsec-vpn' and assign it to a FortiAP.

--- simplified output ---

...logid="0100022042" type="event" subtype="system" level="notice" vd="root" logdesc="Device in the Security Fabric was updated." sn="FGTXXXXXXX" ..." msg="A device in the Security Fabric was updated."

... logid="0100032132" type="event" subtype="system" level="notice" vd="root" logdesc="Local user added" ui="cw_acd" name="wlc-user" status="enable" msg="User added local user wlc-user from cw_acd"

... logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(X.X.X.X)" action="Edit" cfgtid=6946996 cfgpath="wireless-controller.wtp-profile" cfgobj="example" cfgattr="dtls-policy[clear-text->ipsec-vpn]" msg="Edit wireless-controller.wtp-profile example"

Also, VPN events should be observed regarding IPsec tunnel build-up associated with the user, below there are examples of those:

--- simplified output ---

.... logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=1.1.1.1.100 locip=1.1.1.1 remport=500 locport=500 outintf="FGT_fap_ Management" cookies="6bbfdfb62cf02006/0000000000000000" user="wlc-00XX.00" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="aggressive" dir="inbound" stage=1 role="responder" result="ERROR" advpnsc=0

.... logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=1.1.1.100 locip=1.1.1.1 remport=500 locport=500 outintf="FGT_fap_ Management" cookies="6bbfdfb62cf02006/0000000000000000" user="wlc-00XX.00" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="aggressive" dir="inbound" stage=1 role="responder" result="ERROR" advpnsc=0

Note that after disabling this feature for all APs using this profile, the configurations mentioned above will be automatically deleted after a few minutes.

Refer to the following links to learn more details about how to configure this feature and how to check if it is working properly on both FortiGate and FortiAP devices.

Data channel security: clear-text, DTLS, and IPsec VPN

Add support for an IPsec VPN tunnel that carries the FortiAP SN