Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rishab444
Staff
Staff

Created on ‎11-28-2022 10:12 PM Edited on ‎11-28-2022 10:12 PM By Community Manager

Article Id 231116

Technical Tip: IPSec tunnel is established but unable to pass the traffic on Azure

 

Description This article describes that while using Azure load balancer between two FortiGate-VM on Azure Cloud, the tunnels come up, but the traffic does not go through. 
Scope FortiGate-VM, Azure.
Solution

- As per the description of Azure Load Balancer, the traffic allowed is only limited to the TCP or UDP protocols, and it doesn’t support any other protocol to go through it e.g.: ESP, ICMP.

- Since Azure Load Balancer does not allow other protocols to go through it, we need to convert it into either TCP or UDP.

- The basic tunnel exchange uses UDP as seen in the below capture,.

 

rishab444_0-1669666657581.png

 

- After the tunnel is established, the traffic exchange uses ESP protocol as below capture:

 

rishab444_1-1669666657581.png

 

- To get the traffic through, we need to convert the ESP traffic to either TCP or UDP. 

- It is possible to use NAT- Traversal (NAT-T) option on IPSec to encapsulate ESP traffic under UDP header and the traffic will pass through the Azure Load Balancer. 

 

rishab444_2-1669666657581.png

 

Related article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873 
1421
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.