Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
edsiew
New Contributor

Created on ‎04-18-2023 03:57 AM

Port Forwarding for ESP Traffic on Fortigate

Hi, 

I've a Cisco IPSEC router connected to the FG.  There's only 1 public IP on the FG wan interface. 

On the FG, I'd see port forwarding for TCP, UDP, SCTP, ICMP traffic but not ESP.  Does FG support port forwarding for ESP traffic?  If yes, kindly advice how I can do that?  Thanks a lot. 

Edmund Siew
Labels:
433
0 Kudos
2 REPLIES 2
srajeswaran
Staff
Staff

Created on ‎04-18-2023 04:05 AM

ESP protocol don't have port numbers and thats why NAT-T concept is there ( Encrypting ESP using UDP-4500 packets)

 

Could you please share the exact requirement/problem statement.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
431
parteeksharma
Staff
Staff

Created on ‎04-23-2023 08:22 AM

Hi edsiew,

Please be informed that ESP is a layer3 protocol and it doesn't have any port number. So for the ESP protocol port forwarding is not possible. Also if you are trying to establish a vpn tunnel and Nat device is in between, in this scenario you need to enable NAT-T on both peer ends and the port UDP 4500, UDP 500 needs to be allowed on the NAT device placed in between to allow the vpn traffic to pass through.  For more details kindly check below link:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-nattraversal/ta-p/197873

Regards,
Parteek

383
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.