FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article discusses an issue where IPsec over TCP does not work properly when FortiGate is configured with more than one WAN interface.
The problem occurs because returning IKE traffic is taking a different path instead of the source path, resulting in asymmetric behavior, causing the IKE over TCP not to function properly on any tunnel or interface.
Scope
FortiGate v7.4.7 and v7.4.8 with dual WAN and equal default routes using IKE over TCP.
Solution
Symptoms:
IKE over TCP sessions do not establish correctly.
Returning IKE traffic uses a different WAN interface, causing asymmetric tunnel behavior.
Reproduction Scenario:
FortiGate is configured with two default routes in the routing table, both with the same distance and priority.
The IPsec tunnel is configured to use TCP transport.
Workaround:
The issue can be mitigated by enabling 'system.ike-policy-route' and configuring a route policy for TCP IKE traffic.
This forces IKE over TCP traffic to return through the same WAN interface.
Step 1: Configure the Router Policy.
Access the CLI and configure the following:
config router policy edit 1 set src X.X.X.X/255.255.255.252 <----- Use the WAN IP to ensure TCP IKE return through the same interface. set output-device "wan1" next end
Step 2: Enable IKE Policy Route.
Enable IKE policy routing:
config system setting set ike-policy-route enable end
Solution: The fix was already addressed in v7.6.4 and also will be included in v7.4.9, and v8.0.0.
