FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbaikadi
Staff
Staff
Description
IPSec tunnel does not pass traffic configured on interface with VLAN ID 1 after upgrade to v6.2.4.

Scope
For version 6.2.4 and above.

Solution
Both phases of IPSec tunnel shows up after upgrade to v6.2.4 but the tunnel traffic does not work.
The traffic enters firewall and the sniffer shows that packets are sent out but the packet is not forwarded out by NP.

Sniffer Output:
[FPM03] 11.211328 1-A3 in 192.168.10.5 -> 10.45.32.8: icmp: echo request
[FPM03] 11.211360 tunnel1 out 192.168.10.5 -> 10.45.32.8: icmp: echo request
[FPM03] 11.220450 1-A3 in 192.168.10.5 -> 10.45.32.8: icmp: echo request
[FPM03] 11.220465 tunnel1 out 192.168.10.5 -> 10.45.32.8: icmp: echo request
[FPM03] 16.074098 1-A3 in 192.168.10.5 -> 10.45.32.8: icmp: echo request
[FPM03] 16.074111 tunnel1 out 192.168.10.5 -> 10.45.32.8: icmp: echo request
From below output, the packets are received but not transmitted:
FGT (Vdom) # get vpn ipsec tunnel summary
'tunnel1' 10.1.1.1:0  selectors(total,up): 3/3  rx(pkt,err): 16006/0  tx(pkt,err): 88/0
This issue occurs when IPSec is created on an interface that is tagged with VLAN ID-1 and ingress port is un-tagged.

This is expected behavior from v6.2.4 onwards as vlan ID 1 is reserved in FOS 6.2.4.
Avoid using VLAN ID 1.
Any configurations that use a VLAN with vlan ID 1 will not work as expected.

After changing IPSec to other VLAN based settings, such as vlan10, this issue will be gone.
(Reference bug ID: 698527).

Workaround.

There are 2 workarounds:
1) Use VLAN ID other than 1 (or).
2) Disable npu-offload under IPSec Phase-1 interface:
# config vdom
    edit vdom1
# config vpn ipsec phase1-interface
    edit "tunnel1"
        set npu-offload disable
end

Contributors