FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the reasons for and how to work around an issue with dial-up IPsec VPN when using encapsulate ESP packets within TCP fails after upgrading to FortiOS 7.4.x.
Scope
FortiGate v7.4.x.
Solution
After upgrading to FortiOS 7.4.x, the Dial-up IPsec VPN starts to drop the ESP packets when it moves from the tunnel interface to the physical interface as per the following configuration:
config vpn ipsec phase1-interface
edit <name>
set ike-version 2
set transport udp-fallback-tcp
set fortinet-esp enable
next
end
This issue is triggered only when the 'set fortinet-esp enable' setting is configured and enabled.
Workaround:
Set 'fortinet-esp' to 'disable' on the FortiGate side.
Disconnect and reconnect the dial-up IPsec VPN tunnel on FortiClient.
After completing the above steps, ESP packets should no longer be dropped by FortiGate.
Root Cause:
'fortinet-esp' is implemented by FortiGate unilaterally and not supported by FortiClient as of the time this article was written. Disable 'fortinet-esp' on FortiGate until FortiClient supports this configuration.
