The communication between the FortiGate and FortiAP is primarily done via two connections:

• UDP:5246 – CAPWAP Control : Management Traffic between FortiOS and FortiAP.
• UDP:5247 – CAPWAP Data: Frame transportation to/from radios between the FortiAP and Fortigate

config wireless-controller wtp-profile
  edit "FortiAP-Profile"
        set dtls-policy clear-text | dtls-enabled | ipsec-vpn
  next
end

While DTLS provides good security, it does prevent visibility into the frames exchanged over CAPWAP-Data which can be an obstacle in troubleshooting. Situations can arise when having visibility into CAPWAP-Data is necessary for troubleshooting, but security must be maintained on the communication between the FortiGate and FortiAP for compliance requirements or regulations where using clear-text is not an option.

In such a scenario using 'set dtls-policy ipsec-vpn' can be a good approach to maintain security on the CAPWAP-Data traffic while maintaining the ability to decrypt the traffic in Wireshark later for troubleshooting by using the keys extracted from the 'diag vpn tunnel list' command in FortiOS.

Prerequisites:

• FortiGate and FortiAP’s managed by the FortiGate.
• This assumes an environment already set up with Fortigate and FortiAP for WIFI using the default DTLS CAPWAP data-channel security.

Steps:

1. Enable ipsec-vpn in the dtls-policy on FortiAP Profile in CLI:

2. Apply the FortiAP profile to a managed FortiAP: Go under Wifi & Switch Controller -> Managed FortiAPs, select and edit FortiAP, and apply the FortiAP profile.

3. Review IPSEC settings automatically generated by FortiOS: This will be done automatically over the interface that the FortiGate sees the AP connecting over. In this example, the FortiAP was connected over the main_lan interface, thus the FortiGate built the automatic IPSEC configuration over that interface. The FortiAP will then connect to that IPSEC tunnel automatically.

The IPSEC interface will often start with a name similar to 'wlc-0035.00'. This detail is important later. The virtual interface will also come with 'set allowaccess fabric' automatically enabled.

4. Confirm that FortiAP CAPWAP-Data is connected over IPSEC:

 diagnose wireless-controller wlac -c ws

diag vpn tunnel list

Diagram of final state from information in diagnostics above:

5. CAPWAP Packet capture option #1 –  From the IPSEC Interface: The simplest option from FortiGate’s perspective is to sniff directly on the unencrypted traffic entering and exiting the IPSEC tunnel. From the CLI by the following example in the screenshots above 'diag sniffer packet any ‘host 169.254.0.2’ 6 0 l'. 
    
    
    
    
   Save the output and convert to PCAP using the following article Technical Tip: How to import 'diagnose sniffer packet' data to WireShark

6. CAPWAP Packet capture option #2 – ESP Capture: This option provides a fuller picture and involves setting up two port mirror captures at the same time.

• The first port mirror capture should be closest to the FortiGate.
• The second port mirror capture should be closest to the FortiAP being investigated.
• It is strongly recommended to use Wireshark’s pre-filtering options and focus on specific FortiAPs during the captures to avoid overwhelming the captured host and losing output. In this example filtering on 10.77.77.4 would limit output if many FortiAPs are present.
  
  

7. Collect IPSEC Keys for AP for ESP decryption in option #2: Captures are being collected in Step #6, on FortiGate capture 'diag vpn tunnel list' and save the entirety of the output to a text file. It will be possible to find the relevant tunnel by finding the LAN IP on the FortiAP on the first line of each tunnel entry. The encryption key and algorithm will be necessary, the SPI for each direction, and the hashing algorithm and key.

8. Decrypt using the keys from 'diag vpn tunnel list' and Wireshark captures collected in Step #6 using the steps outlined in  Technical Tip: Decrypt ESP packets.