Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎05-22-2024 05:12 AM

Article Id 313367

Technical Tip: How to configure FortiGate to use TCP encapsulation of IKE and IPSec packets

Description This article describes that v7.4.4 is introducing a feature that supports RFC 8229. With this support, it is possible to use TCP encapsulation of IKE and IPSec packets.
Scope FortiGate v7.4.4 and onwards.
Solution

Sometimes, IKE/ESP packets are blocked between FortiGate and remote IPSec peers, which is used to encapsulate IKE and ESP packets into UDP 4500. In some situations, UDP 4500 could be also blocked, v7.4.4 has introduced a new feature that supports RFC 8229. With this RFC, FortiGate encapsulates the IKE/ESP packets into TCP 4500.

 

This RFC implementation needs to be supported and must be pre-configured on both ends to work. This option is valid only for IKEv2.

 

Topology:

 
ipsec_tcp_diagram.PNG

 

 

Configuration:

 

Fortigate_1 IPSec config:

 

config vpn ipsec phase1-interface

    edit "VPN_TCP1"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set transport tcp
        set remote-gw 192.168.1.118
        set psksecret ENC xxxxxx
    next

end

 

 

Fortigate_2 IPSec config:

 

config vpn ipsec phase1-interface

    edit "VPN_TCP"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set transport tcp
        set remote-gw 192.168.1.115
        set psksecret ENC xxxxxxx
    next

end

 

The option 'set transport tcp' can be configured only using the CLI.

 

How the initial TCP handshake looks like on both devices :

 

Fortigate_1:

 

105.090140 port1 in 192.168.1.115.9123 -> 192.168.1.118.4500: syn 3255444993
105.090183 port1 out 192.168.1.118.4500 -> 192.168.1.115.9123: syn 2160451633 ack 3255444994
105.090242 port1 in 192.168.1.115.9123 -> 192.168.1.118.4500: ack 2160451634
105.090278 port1 in 192.168.1.115.9123 -> 192.168.1.118.4500: psh 3255444994 ack 2160451634
105.090286 port1 out 192.168.1.118.4500 -> 192.168.1.115.9123: ack 3255445000
108.088002 port1 in 192.168.1.115.9123 -> 192.168.1.118.4500: psh 3255445000 ack 2160451634
108.088028 port1 out 192.168.1.118.4500 -> 192.168.1.115.9123: ack 3255445638

 

Fortigate_2:

 

93.886129 port1 out 192.168.1.115.9123 -> 192.168.1.118.4500: syn 3255444993
93.886262 port1 in 192.168.1.118.4500 -> 192.168.1.115.9123: syn 2160451633 ack 3255444994
93.886283 port1 out 192.168.1.115.9123 -> 192.168.1.118.4500: ack 2160451634
93.886319 port1 out 192.168.1.115.9123 -> 192.168.1.118.4500: psh 3255444994 ack 2160451634
93.886390 port1 in 192.168.1.118.4500 -> 192.168.1.115.9123: ack 3255445000
96.351795 port1 in 192.168.1.118.9359 -> 192.168.1.115.4500: psh 944183511 ack 2335085006

 

Session list for remote IP address of the IPsec tunnel on both devices :

 

 

Fortigate_1:

 

session info: proto=6 proto_state=01 duration=153 expire=3599 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty
statistic(bytes/packets/allow_err): org=2835/29/1 reply=2828/27/1 tuples=2
tx speed(Bps/kbps): 6/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->in, reply out->post dev=3->14/14->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 192.168.1.115:9123->192.168.1.118:4500(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.1.118:4500->192.168.1.115:9123(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000003ff tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

 

 

Fortigate_2:

 

session info: proto=6 proto_state=01 duration=184 expire=3599 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log local
statistic(bytes/packets/allow_err): org=3018/32/1 reply=2984/30/1 tuples=2
tx speed(Bps/kbps): 9/0 rx speed(Bps/kbps): 7/0
orgin->sink: org out->post, reply pre->in dev=14->3/3->14 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 192.168.1.115:9123->192.168.1.118:4500(0.0.0.0:0)
hook=in dir=reply act=noop 192.168.1.118:4500->192.168.1.115:9123(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00000409 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

 

Phase-1/Phase-2 for Fortigate_1 and Fortigate_2:

 

 Fortigate_1:

 

vd: root/0
name: VPN_TCP1
version: 2
interface: port1 3
addr: 192.168.1.118:4500 -> 192.168.1.115:9123
tun_id: 192.168.1.118/::192.168.1.118
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 237s ago
peer-id: 192.168.1.115
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/2 established 1/2 time 0/4505/9010 ms
IPsec SA: created 1/2 established 1/2 time 0/4505/9010 ms

id/spi: 7 d38b4a00f4655dd1/0090f0e53b7b9e1a
direction: responder
status: established 227-227s ago = 0ms
proposal: aes128-sha256
child: no
SK_ei: 270d6e781bbd1ce0-72528e1294a3728c
SK_er: 57c63d9f0e34ce70-32d3b304263f1671
SK_ai: 87d21bc4d65d20fd-302ef335fe98fe5e-0884a7d9d5992d6a-4ee1fd1275184951
SK_ar: 2720fe29b98ac8ba-6e0beb5bbb7bd8bf-c5cbadb82f8a25e7-0a9c9c9b99870f0b
PPK: no
message-id sent/recv: 1/2
QKD: no
lifetime/rekey: 86400/85902
DPD sent/recv: 00000001/00000001
peer-id: 192.168.1.115

 

 

name=VPN_TCP1 ver=2 serial=2 192.168.1.118:4500->192.168.1.115:9123 tun_id=192.168.1.118 tun_id6=::192.168.1.118 status=up dst_mtu=1500 weight=1
bound_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=6 ilast=235 olast=235 ad=/0
stat: rxp=0 txp=5 rxb=0 txb=420
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_TCP1 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42632/0B replaywin=2048
seqno=6 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42929/43200
dec: spi=732d69f5 esp=aes key=16 91ccd218006925eb40d274b709c23d56
ah=sha1 key=20 fdce47daca1f6fc01dde69edab189e6ff22b0934
enc: spi=1a8a31b1 esp=aes key=16 09736326813d15521ff8d59d3ad828ce
ah=sha1 key=20 fe2d1ec1cefb3f2e17552a4ece820ce4bc10732f
dec:pkts/bytes=0/0, enc:pkts/bytes=5/760
npu_flag=00 npu_rgwy=192.168.1.115 npu_lgwy=192.168.1.118 npu_selid=0 dec_npuid=0 enc_npuid=0

 

 

Fortigate_2

 

vd: root/0
name: VPN_TCP
version: 2
interface: port1 3
addr: 192.168.1.115:9123 -> 192.168.1.118:9359
tun_id: 192.168.1.115/::192.168.1.115
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 212s ago
peer-id: 192.168.1.118
peer-id-auth: no
nat: me peer
pending-queue: 0
PPK: no
IKE SA: created 1/2 established 1/2 time 0/1500/3000 ms
IPsec SA: created 1/2 established 1/2 time 0/1500/3000 ms

id/spi: 8 d38b4a00f4655dd1/0090f0e53b7b9e1a
direction: initiator
status: established 212-209s ago = 3000ms
proposal: aes128-sha256
child: no
SK_ei: 270d6e781bbd1ce0-72528e1294a3728c
SK_er: 57c63d9f0e34ce70-32d3b304263f1671
SK_ai: 87d21bc4d65d20fd-302ef335fe98fe5e-0884a7d9d5992d6a-4ee1fd1275184951
SK_ar: 2720fe29b98ac8ba-6e0beb5bbb7bd8bf-c5cbadb82f8a25e7-0a9c9c9b99870f0b
PPK: no
message-id sent/recv: 2/1
QKD: no
lifetime/rekey: 86400/85890
DPD sent/recv: 00000000/00000000
peer-id: 192.168.1.118

 

name=VPN_TCP ver=2 serial=3 192.168.1.115:9123->192.168.1.118:4500 tun_id=192.168.1.115 tun_id6=::192.168.1.115 status=up dst_mtu=1500 weight=1
bound_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=226 olast=42953619 ad=/0
stat: rxp=5 txp=0 rxb=420 txb=0
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_TCP proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42624/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000006 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=1a8a31b1 esp=aes key=16 09736326813d15521ff8d59d3ad828ce
ah=sha1 key=20 fe2d1ec1cefb3f2e17552a4ece820ce4bc10732f
enc: spi=732d69f5 esp=aes key=16 91ccd218006925eb40d274b709c23d56
ah=sha1 key=20 fdce47daca1f6fc01dde69edab189e6ff22b0934
dec:pkts/bytes=5/420, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=192.168.1.118 npu_lgwy=192.168.1.115 npu_selid=0 dec_npuid=0 enc_npuid=0
1003
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.