Hi,
I've a Cisco IPSEC router connected to the FG. There's only 1 public IP on the FG wan interface.
On the FG, I'd see port forwarding for TCP, UDP, SCTP, ICMP traffic but not ESP. Does FG support port forwarding for ESP traffic? If yes, kindly advice how I can do that? Thanks a lot.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
ESP protocol don't have port numbers and thats why NAT-T concept is there ( Encrypting ESP using UDP-4500 packets)
Could you please share the exact requirement/problem statement.
Hi edsiew,
Please be informed that ESP is a layer3 protocol and it doesn't have any port number. So for the ESP protocol port forwarding is not possible. Also if you are trying to establish a vpn tunnel and Nat device is in between, in this scenario you need to enable NAT-T on both peer ends and the port UDP 4500, UDP 500 needs to be allowed on the NAT device placed in between to allow the vpn traffic to pass through. For more details kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873
Regards,
Parteek
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.