FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the reasons for and how to work around an issue with dial-up IPsec VPN when using encapsulate ESP packets within TCP fails after upgrading to FortiOS 7.4.x.
Scope
FortiGate v7.4.x.
Solution
After upgrading to FortiOS 7.4.x, the Dial-up IPsec VPN starts to drop the ESP packets when it moves from the tunnel interface to the physical interface as per the following configuration:
config vpn ipsec phase1-interface
edit <name>
set ike-version 2
set transport udp-fallback-tcp
set fortinet-esp enable
next
end
This issue is triggered only when the 'set fortinet-esp enable' setting is configured and enabled.
Workaround:
Set 'fortinet-esp' to 'disable' on the FortiGate side.
Disconnect and reconnect the dial-up IPsec VPN tunnel on FortiClient.
After completing the above steps, ESP packets should no longer be dropped by FortiGate.
Root Cause:
'fortinet-esp' is a proprietary protocol intended for FortiGate-to-FortiGate communication. FortiClient does not support this protocol. FortiOS v7.4.6 and later and FortiClient v7.4.0 and later support RFC 8229 compliant TCP transport for IKE and IPsec traffic, see Encapsulate ESP packets within TCP headers.
