Description |
This article describes the difference in the behavior of static and dynamic tunnels when there is a device performing NAPT between the ipsec peers. |
Scope | Fortios |
Solution |
Topology: FGT B (85.130.205.233) --- (194.110.190.51) NAPT --- (194.110.190.50) FGT A In this example NAPT is performed for FGT A. Therefore, FGT B has the peer’s address is the remote gateway and FGT A the NAPT device IP Example:
FGT A:
#config vpn ipsec phase1-interface edit "tunnel" set interface "wan2" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set dhgrp 14 set remote-gw 194.110.190.51 set psksecret ENC Wg4cr3srJgRhbjvceXVtS0cmX5MnfaU7X0Vk7mn2Al6us7UN6U0l9dV llH7iKC0v9XBAyjwzzIPSYINakEJiRHMElAycFtkJj7+Ld6dWpgAVavpZ4q/ nbi32p8cN3WrWLcpf4eNddkEaG8h+z+G3ws0xoYipuuY KhE5lC7hLLZyyEP+ZVi6aJDMfVqoJswBhZNvpIg== next end
FGT B:
#config vpn ipsec phase1-interface edit "tunnel" set interface "wan2" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set dhgrp 14 set remote-gw 194.110.190.50 set psksecret ENC 49EYqVpe8PVg6ltPq5uLIRD+UPPsSywkDHKbF45/WKMI8F8JzXsy3injpwYoRJvQC8uJw3nRBL7MUeJ4tUYB0/jDy+dlBNUEjrPBTRQZmLPEtM0iS4j7c8++947lHr0EdgzyhCHdHLMKN37BZrzrKvopNVX41yBPnaoHuF3zSV+NQYJ5MCMhsYL7giV7NLt2T73tqQ== next end
After establishing the tunnel, FGT A is going to receive the packets from the remote peer with a Source port X, depending on the port the NAPT device assigned.
wan2 in 194.110.190.51.64916 -> 194.110.190.50.4500: udp 100
At this point, traffic can flow without problems. If a different port will be assigned by the NAPT device, e.g., because the session was expired or for any other reason, the packets will arrive to FGT A with source port Y.
wan2 in 194.110.190.51.62717 -> 194.110.190.50.4500: udp 100
In this case, FGT A will still use port X and it will not change it.
wan2 out 194.110.190.50.4500 -> 194.110.190.51.64916: udp 100
This is happening because when a tunnel is configured with 'set type static', the only port change that is expected to happen is port 500->4500.
This port change (X -> Y) is not accepted by the peer because when static mode is configured the flag 'rgwy-chg' is not set.
Dynamic tunnel output:
Static tunnel output:
There are cases where a NAT box decides to remove mappings that are still alive (for example, the keepalive interval is too long, or the NAT box is rebooted) …. (truncated)
A host behind a NAT SHOULD NOT do this type of dynamic address update if a validated packet has different port and/or address values because it opens a possible DoS attack (such as allowing an attacker to break the connection with a single packet). (For reference, see RFC5996 and RFC3715.)
To overcome this behavior, use the dynamic tunnel which supports the remote gateway change:
#config vpn ipsec phase1-interface edit "tunnel" set type dynamic set interface "wan2" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set comments "VPN: tunnel (Created by VPN wizard)" set dhgrp 14 set psksecret ENC WmEKNeH6Cz/RH4dB/xUf/V6xpStxj7GpBS9BCAtJ1Q phuhesdruLlGa13uROQCw9pMZPe/1wDsccRQ2k4C8 pjzVPVNnTYJammRdqZRQYq5pdc2dmnCAC88ELaRrIarmT91nZ ahcxOx0XYw6Yt9zANsvOFDEPFsd0bvTarwaIFoBx91pKbb0uNA7ke6mcV8d+h5jBag== next end
Related articles:
|