Hi,
I've a Cisco IPSEC router connected to the FG. There's only 1 public IP on the FG wan interface.
On the FG, I'd see port forwarding for TCP, UDP, SCTP, ICMP traffic but not ESP. Does FG support port forwarding for ESP traffic? If yes, kindly advice how I can do that? Thanks a lot.
ESP protocol don't have port numbers and thats why NAT-T concept is there ( Encrypting ESP using UDP-4500 packets)
Could you please share the exact requirement/problem statement.
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.Hi edsiew,
Please be informed that ESP is a layer3 protocol and it doesn't have any port number. So for the ESP protocol port forwarding is not possible. Also if you are trying to establish a vpn tunnel and Nat device is in between, in this scenario you need to enable NAT-T on both peer ends and the port UDP 4500, UDP 500 needs to be allowed on the NAT device placed in between to allow the vpn traffic to pass through. For more details kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873
Regards,
Parteek
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.