Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎09-08-2023 09:14 AM

Article Id 272874

Technical Tip: Explaining the effects of the 'set esn require' setting on Phase-2 of IPSec VPN Tunnel

Description

This article describes the effects of the 'set esn require' setting configured in phase-1 of an IPSec vpn tunnel. It also describes the setting's effect on phase-2 of IPSec when misconfigured or accidentally configured only in one end of the IPSec VPN tunnel
Scope FortiGate models
Solution

The ESN (extended sequence number) setting is an IPSec standard that uses a 64-bit sequence number to achieve high-speed transfer rates over an IPSec tunnel. It uses a larger space SN than the regular SN and it allows the IPSec VPN tunnel to transfer large amounts of data at a high speed without re-keying.

 

When 'set esn require' is configured on both ends of an IPSec VPN, phase-1 and phase-2 of the IPSec vpn tunnel will come up and the tunnel will function as expected. Using the extended sequence numbers will allow the tunnel to transmit large volumes of data at a high speed without rekeying.

 

When 'set esn require' is configured on only one end of an IPSec VPN, the phase-1 of the IPSec VPN tunnel will have the 'up' status. However, phase-2 will never come up on either ends of the IPSec VPN tunnel.

 

Example configuration of 'set esn require' being set on only one end of an IPSec VPN:

 

ENS Config.JPG

 

The following screenshots show that phase-2 of the IPSec VPN has the 'down' status on both ends of the tunnel:

 

Tunnel- Phase-2 - ESN Require Side.JPG

 

Tunnel - Phase-2 - Remote Sdie.JPG

 

Upon running the IKE debugs as follows...

 

IKE debug.JPG

 

... The IPSec VPN initiator end will always have the errors 'NO-PROPOSAL-CHOSEN' and 'delete phase2 SPI xxxxxxxx', as shown in the following debug outputs.

 

An initiator where 'set esn require' is configured:

 

Initiator - ESN Require Side.JPG

 

An initiator where 'set esn require' is NOT configured:

 

Initiator - Remote Side.JPG

 

The IPSec VPN responder end will always have the errors 'negotiation failure', 'no SA proposal chosen' and 'error processing quick-mode message from x.x.x.x as responder' as in the following debug outputs.

 

A responder where 'set esn require' is configured:

 

Responder - ESN Require Side.JPG

 

A responder where 'set esn require' is NOT configured:

 

Responder - Remote Side.JPG

 

In summary, when the set esn require is configured on both ends of the IPSec VPN tunnel, the tunnel will work as expected and use a larger space SN than the standard regular SN and the IPSec vpn tunnel will transfer large amounts of data at a high speed without re-keying. However, if it is accidentally configured only on one end of the IPSec vpn tunnel, the tunnel will not work as expected and the phase-2 will never come up. Upon running the IKE debugs, the errors shown above will appear.
408
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.