Hi @all,
has anybody succeeded in connecting a FAPC24JE as a Remote AP with IPSEC Datachannel security?
It kinda seems to work, I see the WLC FGT responding to IKE requests..... but I wasnt able to establish a IPSEC Datachannel.
It could be the WAN Setup on the remote side.... but to rule that out I posted this question ;)
Regards,
Jan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jan,
It is working in latest GA build 222. May I please know which build was used to test ipsec data-channel security?
Thanks,
Jay
Hi Jay,
I was testing with Build 222. So the problem seems to be with the WAN Link not passing UDP 4500 here.
Thanks and Regards,
Jan
Hi Jan,
Can you please share following info from your set-up?
1. Fortigate name and firmware used
2. wtp-profile applied to C24JE
I'm able to form ipsec data channel security with Fortigate which is behind NATed WAN.
Thanks,
Jay
Hi Jay,
sure.
Fortigate used is a FGT81E-POE running FortiOS 6.2.1 (other APs 21D,223E, running IPSEC Datachannels work fine)
config wireless-controller wtp-profile
edit "FAPC24JE-DE"
config platform
set type C24JE
end
config lan
set port1-mode bridge-to-wan
set port2-mode bridge-to-wan
set port3-mode bridge-to-wan
end
set dtls-policy dtls-enabled ipsec-vpn
set handoff-sta-thresh 30
set ap-country DE
set allowaccess https ssh
set login-passwd-change default
config radio-1
set band 802.11n,g-only
set darrp enable
set frequency-handoff enable
set ap-handoff enable
set vap-all disable
set vaps "SSID1"
set channel "1" "6" "11"
end
config radio-2
set band 802.11ac,n-only
set short-guard-interval enable
set channel-bonding 40MHz
set darrp enable
set frequency-handoff enable
set ap-handoff enable
set vap-all disable
set vaps "SSID1"
set channel "36" "44"
end
next
end
I´m assuming that the Router on Site which is doing the NAT (not a FGT!) messes up the NAT-T Traffic or the IKE replies. The FGT´s Log says that a WLC User was created "User added local user wlc-user from cw_acd" and IKE tries to establish without success. We are using small FAP21D on other remote sites to establish IP connectivity on the FAP21D´s LAN Port via IPSEC Datachannel.... So to speak a "very low cost IPSEC endpoint" for just one device. It worked fine for years, but now the FAP21D got discontinued and I wanted to try the Setup with FAPC24JE´s.
I will try It once I moved the FAPC24JE´s to a new Site with a different router. Thanks and Regards, Jan
Hi Jan,
Thank you for sharing the information. Yes, please let me know if it does not work once you move C24JE behind a router which allows UDP 4500.
Jay
Hi Jay,
now it works as expected
Jan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.