- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FAPC24JE IPSEC Datachannel
Hi @all,
has anybody succeeded in connecting a FAPC24JE as a Remote AP with IPSEC Datachannel security?
It kinda seems to work, I see the WLC FGT responding to IKE requests..... but I wasnt able to establish a IPSEC Datachannel.
It could be the WAN Setup on the remote side.... but to rule that out I posted this question ;)
Regards,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jan,
It is working in latest GA build 222. May I please know which build was used to test ipsec data-channel security?
Thanks,
Jay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jay,
I was testing with Build 222. So the problem seems to be with the WAN Link not passing UDP 4500 here.
Thanks and Regards,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jan,
Can you please share following info from your set-up?
1. Fortigate name and firmware used
2. wtp-profile applied to C24JE
I'm able to form ipsec data channel security with Fortigate which is behind NATed WAN.
Thanks,
Jay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jay,
sure.
Fortigate used is a FGT81E-POE running FortiOS 6.2.1 (other APs 21D,223E, running IPSEC Datachannels work fine)
config wireless-controller wtp-profile
edit "FAPC24JE-DE"
config platform
set type C24JE
end
config lan
set port1-mode bridge-to-wan
set port2-mode bridge-to-wan
set port3-mode bridge-to-wan
end
set dtls-policy dtls-enabled ipsec-vpn
set handoff-sta-thresh 30
set ap-country DE
set allowaccess https ssh
set login-passwd-change default
config radio-1
set band 802.11n,g-only
set darrp enable
set frequency-handoff enable
set ap-handoff enable
set vap-all disable
set vaps "SSID1"
set channel "1" "6" "11"
end
config radio-2
set band 802.11ac,n-only
set short-guard-interval enable
set channel-bonding 40MHz
set darrp enable
set frequency-handoff enable
set ap-handoff enable
set vap-all disable
set vaps "SSID1"
set channel "36" "44"
end
next
end
I´m assuming that the Router on Site which is doing the NAT (not a FGT!) messes up the NAT-T Traffic or the IKE replies. The FGT´s Log says that a WLC User was created "User added local user wlc-user from cw_acd" and IKE tries to establish without success. We are using small FAP21D on other remote sites to establish IP connectivity on the FAP21D´s LAN Port via IPSEC Datachannel.... So to speak a "very low cost IPSEC endpoint" for just one device. It worked fine for years, but now the FAP21D got discontinued and I wanted to try the Setup with FAPC24JE´s.
I will try It once I moved the FAPC24JE´s to a new Site with a different router. Thanks and Regards, Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jan,
Thank you for sharing the information. Yes, please let me know if it does not work once you move C24JE behind a router which allows UDP 4500.
Jay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jay,
now it works as expected
Jan