Created on 12-10-2021 06:26 AM Edited on 12-10-2021 06:26 AM By Anonymous
Description |
This article describes the difference in the behavior of static and dynamic tunnels when there is a device performing NAPT between the ipsec peers. |
Scope | Fortios |
Solution |
Topology: FGT B (85.130.205.233) --- (194.110.190.51) NAPT --- (194.110.190.50) FGT A In this example NAPT is performed for FGT A. Therefore, FGT B has the peer’s address is the remote gateway and FGT A the NAPT device IP Example: FGT A: #config vpn ipsec phase1-interface edit "tunnel" set interface "wan2" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set dhgrp 14 set remote-gw 194.110.190.51 set psksecret ENC Wg4cr3srJgRhbjvceXVtS0cmX5MnfaU7X0Vk7mn2Al6us7UN6U0l9dVllH7iKC0v9XBAyjwzzIPSYINakEJiRHMElAycFtkJj7+Ld6dWpgAVavpZ4q/nbi32p8cN3WrWLcpf4eNddkEaG8h+z+G3ws0xoYipuuYKhE5lC7hLLZyyEP+ZVi6aJDMfVqoJswBhZNvpIg== next end
FGT B #config vpn ipsec phase1-interface edit "tunnel" set interface "wan2" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set dhgrp 14 set remote-gw 194.110.190.50 set psksecret ENC 49EYqVpe8PVg6ltPq5uLIRD+UPPsSywkDHKbF45/WKMI8F8JzXsy3injpwYoRJvQC8uJw3nRBL7MUeJ4tUYB0/jDy+dlBNUEjrPBTRQZmLPEtM0iS4j7c8++947lHr0EdgzyhCHdHLMKN37BZrzrKvopNVX41yBPnaoHuF3zSV+NQYJ5MCMhsYL7giV7NLt2T73tqQ== next end
After establishing the tunnel FGT A is going to receive the packets from the remote peer with a Source port X, depending on the port the NAPT device assigned.
wan2 in 194.110.190.51.64916 -> 194.110.190.50.4500: udp 100
In this point traffic can flow without problems. In case a different port will be assigned by the NAPT device, e.g., because the session was expired or for any other reason the packets will arrive to FGT A with source port Y
wan2 in 194.110.190.51.62717 -> 194.110.190.50.4500: udp 100
In this case FGT A will still use port X and it will not change it.
wan2 out 194.110.190.50.4500 -> 194.110.190.51.64916: udp 100
This is happening because when a tunnel is configured with 'set type static' the only port change that is expected to happen is port 500->4500.
This port change (X -> Y) is not accepted by the peer because when static mode is configured the flag “rgwy-chg” is not set.
Dynamic tunnel output:
Static tunnel output:
There are cases where a NAT box decides to remove mappings that are still alive (for example, the keepalive interval is too long, or the NAT box is rebooted) …. (truncated)
A host behind a NAT SHOULD NOT do this type of dynamic address update if a validated packet has different port and/or address values because it opens a possible DoS attack (such as allowing an attacker to break the connection with a single packet). (As reference look RFC5996 and RFC3715)
To overcome this behavior, Please use dynamic tunnel which support’s the remote gateway change: #config vpn ipsec phase1-interface edit "tunnel" set type dynamic set interface "wan2" set ike-version 2 set keylife 28800 set peertype any set proposal aes256-sha512 set comments "VPN: tunnel (Created by VPN wizard)" set dhgrp 14 set psksecret ENC WmEKNeH6Cz/RH4dB/xUf/V6xpStxj7GpBS9BCAtJ1QphuhesdruLlGa13uROQCw9pMZPe/1wDsccRQ2k4C8pjzVPVNnTYJammRdqZRQYq5pdc2dmnCAC88ELaRrIarmT91nZahcxOx0XYw6Yt9zANsvOFDEPFsd0bvTarwaIFoBx91pKbb0uNA7ke6mcV8d+h5jBag== next end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.