Technical Tip: How to use TCP as transport for IKE/IPsec traffic

syao · ‎02-22-2024

Description

This article describes that starting from v7.4.2, a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers has been introduced.

It allows ESP packets to be assigned a port number, enabling them to traverse carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.

Scope

FortiGate v7.4.2 or above.

Solution

Assume the diagram below:

The following configuration is for a site to site tunnel, however this option is also available for dynamic (remote access) tunnels.
This would require the FortiClient to be on version 7.4.1 and above. More details are visible on this document: IPsec VPN over TCP

Create an IPsec tunnel on both FortiGates via CLI and ensure the IKE version is 2.

FortiGate-A:

config vpn ipsec phase1-interface
edit "TCP_IPSEC"
set interface "port1"
set peertype any
set ike-version 2
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set remote-gw 10.47.2.115
set psksecret XXX
next
end

FortiGate-B:

config vpn ipsec phase1-interface
edit "TCP_IPSEC"
set interface "port1"
set peertype any
set ike-version 2
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set remote-gw 10.47.2.115
set psksecret XXX
next
end

Change the transport type to TCP.

config vpn ipsec phase1-interface
edit "TCP_IPSEC"

set transport tcp

end

This would force the FortiGate to use TCP as the transport when sending/receiving the IKE packets for this tunnel.

Enable the 'fortinet-esp'.

config vpn ipsec phase1-interface
edit "TCP_IPSEC"

set fortinet-esp enable

end

This would force the FortiGate to use TCP as the transport when sending/receiving the ESP packets for this tunnel.
By default, the FortiGate will use TCP port 4500. It is possible to change this to a different port number by going to the global settings and modifying the 'ike-tcp-port' option.

config system settings
set ike-tcp-port <integer>
end

Verification:

FortiGate-A # diagnose vpn ike gateway list

vd: root/0
name: TCP_IPSEC
version: 2
interface: port1 3
addr: 10.47.4.134:4500 -> 10.47.2.115:1265
tun_id: 10.47.2.115/::10.47.2.115
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 2589s ago
peer-id: 10.47.2.115
peer-id-auth: no
PPK: no
IKE SA: created 1/1 established 1/1 time 160/160/160 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 46 8dfbaaa88edc80a0/5f7b0e209692b481
direction: responder
status: established 2589-2589s ago = 160ms
proposal: aes128-sha256
child: no
SK_ei: 8d9660ccfe355d6a-0784d7294ccda0bb
SK_er: 6a965e82a1d16c31-6ff77b02919f43b5
SK_ai: 405c0521a1fce02a-209bbcd4cec91112-c7db90ebd6d8e398-f6a5274c037bbdac
SK_ar: f3eee165e4b19d60-e97fd94542279032-fc5f3d9bdb748405-6e58918d00e07d2e
PPK: no
message-id sent/recv: 0/2
QKD: no
lifetime/rekey: 86400/83540
DPD sent/recv: 00000000/00000000
peer-id: 10.47.2.115

Note:

This feature only works with IKE version 2, and it does not support ADVPN.