FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff
Description

This article describes the difference in the behavior of static and dynamic tunnels

when there is a device performing NAPT between the ipsec peers.

Scope Fortios
Solution

Topology:

FGT B (85.130.205.233) --- (194.110.190.51) NAPT --- (194.110.190.50) FGT A

In this example NAPT is performed for FGT A. Therefore, FGT B has the peer’s address

is the remote gateway and FGT A the NAPT device IP

Example:

FGT A:

#config vpn ipsec phase1-interface

    edit "tunnel"

        set interface "wan2"

        set ike-version 2

        set keylife 28800

        set peertype any

        set proposal aes256-sha512

        set dhgrp 14

        set remote-gw 194.110.190.51

        set psksecret ENC Wg4cr3srJgRhbjvceXVtS0cmX5MnfaU7X0Vk7mn2Al6us7UN6U0l9dVllH7iKC0v9XBAyjwzzIPSYINakEJiRHMElAycFtkJj7+Ld6dWpgAVavpZ4q/nbi32p8cN3WrWLcpf4eNddkEaG8h+z+G3ws0xoYipuuYKhE5lC7hLLZyyEP+ZVi6aJDMfVqoJswBhZNvpIg==

     next

end

 

FGT B

#config vpn ipsec phase1-interface

    edit "tunnel"

        set interface "wan2"

        set ike-version 2

        set keylife 28800

        set peertype any

        set proposal aes256-sha512

        set dhgrp 14

        set remote-gw 194.110.190.50

        set psksecret ENC 49EYqVpe8PVg6ltPq5uLIRD+UPPsSywkDHKbF45/WKMI8F8JzXsy3injpwYoRJvQC8uJw3nRBL7MUeJ4tUYB0/jDy+dlBNUEjrPBTRQZmLPEtM0iS4j7c8++947lHr0EdgzyhCHdHLMKN37BZrzrKvopNVX41yBPnaoHuF3zSV+NQYJ5MCMhsYL7giV7NLt2T73tqQ==

        next

end

 

After establishing the tunnel FGT A is going to receive the packets from the remote peer

with a Source port X, depending on the port the NAPT device assigned.

 

wan2 in 194.110.190.51.64916 -> 194.110.190.50.4500: udp 100

 

In this point traffic can flow without problems.

In case a different port will be assigned by the NAPT device, e.g., because the session

was expired or for any other reason the packets will arrive to FGT A with source port Y

 

wan2 in 194.110.190.51.62717 -> 194.110.190.50.4500: udp 100

 

In this case FGT A will still use port X and it will not change it.

 

wan2 out 194.110.190.50.4500 -> 194.110.190.51.64916: udp 100

 

This is happening because when a tunnel is configured with 'set type static' the only

port change that is expected to happen is port 500->4500.

 

This port change (X -> Y) is not accepted by the peer because when static mode is

configured the flag “rgwy-chg” is not set.

 

Dynamic tunnel output:

 

dynamic.PNG

 

Static tunnel output:

 

static.png

 

There are cases where a NAT box decides to remove mappings that are still alive

(for example, the keepalive interval is too long, or the NAT box is rebooted) …. (truncated)

 

A host behind a NAT SHOULD NOT do this type of dynamic address update if a validated

packet has different port and/or address values because it opens a possible DoS attack

(such as allowing an attacker to break the connection with a single packet). 

(As reference look RFC5996 and RFC3715)

 

To overcome this behavior, Please use dynamic tunnel which support’s the remote

gateway change:

#config vpn ipsec phase1-interface

    edit "tunnel"

        set type dynamic 

        set interface "wan2"

        set ike-version 2

        set keylife 28800

        set peertype any

        set proposal aes256-sha512

        set comments "VPN: tunnel (Created by VPN wizard)"

        set dhgrp 14

        set psksecret ENC WmEKNeH6Cz/RH4dB/xUf/V6xpStxj7GpBS9BCAtJ1QphuhesdruLlGa13uROQCw9pMZPe/1wDsccRQ2k4C8pjzVPVNnTYJammRdqZRQYq5pdc2dmnCAC88ELaRrIarmT91nZahcxOx0XYw6Yt9zANsvOFDEPFsd0bvTarwaIFoBx91pKbb0uNA7ke6mcV8d+h5jBag==

    next

end

 

 

Contributors