I have 3 vpn connections:
1. Azure - mainsite FG (ipsec)
2. branchsite FG - mainsite FG (ipsec)
3. clients - mainsite FG (ssl-vpn)
With the new ike-port option is should be possible to move to ip-sec over port 443.
config system settings
set ike-port 443
end
This sets the port globally though. I can get around this for tunnels 2 and 3, but Azure site-to-site VPN does not have an option to change port (or use tcp). Is it possible to change the port per tunnel? If not, is this on the roadmap?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@Knuppel1983 Unfortunately, this is a global feature. This setting is not available per tunnel for now.
Created on 11-05-2024 12:09 AM Edited on 11-05-2024 12:10 AM
Hi Dixit, thanks for your reply. Is this on the roadmap? Or are there talks with vendors like Microsoft to support TCP IPsec? I can't imagine being the only one facing this problem.
why do you want that? IPSec tunnels can coexist on the same port because the should usually differ by psk and/or peerid. Also if you enable NAT-Traversal you will need a second port.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Created on 11-05-2024 07:05 AM Edited on 11-05-2024 07:06 AM
The problem is not multiple tunnels co-existing on the same port.
The problem is certain devices and services (Azure) not supporting IPSec TCP. This puts me in the situation where Fortinet is removing and thus wants me to move away from SSL-VPN, but the 'set ike-port 443' port change having effect on not just the IPSec client tunnel, but all tunnels.
ah ok now I understand it :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
though FortoOS uses the default IPSec ports: 500/UDP and 4500/UDP (for NAT-T). So there is no IPSec TCP afaik.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ya that's a new feature added in 7.4 which we don't yet use. So I cannot say much helpful things on 7.4 though. BUt from that article I see that in 7.4 it is possible to switch IPSec transport from udp to tcp in 7.4. It says per default it then uses 4500/TCP. There is an option to change the port but this is global...and that's were your problems start.
So you mean Azure etc only support 443/tcp and that's why you need to change the port?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Created on 11-05-2024 07:22 AM Edited on 11-05-2024 07:22 AM
Correct. I think Azure only supports the default UDP IPSec ports, there is no way of changing them. This would also apply to other non-Fortinet devices. I can alter the phase1-interface to 'set transport udp' but this doesn't seem to work.
Haven't extensively tested yet though.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.