Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Olvmyr
New Contributor

Run RDP over IPSEC in a IPSEC tunnel.

Hello! This is my first post here.

 

I'm currently inplementing Privileged Access Workstations (PAW). In this project i'm also going to use IPSEC to secure RDP and WinRM traffic.

When I connect my PAW to the network with a SSL-VPN tunnel from my FortiClient, everything works just fine, but I would like to use an IPsec tunnel from my client to my network. When i connect to the IPsec tunnel I cant get a RDP over IPsec to work.

 

Has anyone ever tried to run IPsec RDP traffic over a IPsec tunnel ? Do I miss anything fundamental? I have been doing some trials with MTU but cant relly see that it does any difference.

If it is MTU I need to lower the MTU of the RDP over IPsec but that is something I'm not sure you can do, or can you? (I fully understand that this is a Microsoft question and not a fortigate question).

My issue can be something totally other than the IPsec tunnel from FortiClient to a Fortigate but I would like to know if someone else has tried it and if it worked?

RDP over the IPsec tunnel works, just not RDP-over-IPSEC in the IPsec tunnel (when you encrypt the accual RDP traffic between the client and the server for the RDP session).


Thank you!

4 REPLIES 4
adambomb1219
Contributor III

Can you ping the RDP server?  Maybe I'm not following here but why encrypt the traffic twice?  Also doesn't RDP have built-in encryption?  What do the logs say?  Do your policies allow this traffic?  Is there a routing issue?

Olvmyr

Thank you for the response.
If the acctual RDP traffic is encrypted I dont know, the reason you want to use RDP over IPsec is that you then can use user/device authentication at the server.
RDP is a really unsecure protocol and thats why it's also called Ransomware Deplyment Protocol. If RDP is active you want to secure it.
RDP over IPsec is enabled on my servers where I allow RDP and works just fine if im on the acctual network, but not if I connect with a IPsec tunnel.

I'm not sure why and it can probably be alot of things.

Yes, I can "ping" the RDP server and if I turn off the RDP over IPSsec on the server it works.

The policys allow the traffic.

hbac
Staff
Staff

Hi @Olvmyr,

 

If regular RDP works, I don't think it is a FortiGate issue. You can capture the traffic by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1.... You can also check the Windows firewall rules as per this article: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/securing-rdp-with-ipsec/ba-p...

 

Regards, 

AdrianR
New Contributor III

Hello Olvmyr, 
I use all the time RDP in IPSec without a problem, can you verify If your clients Firewall is enabling RDP in the Policy?  Maybe you have it enable but your client is blocking the protocol.


Top Kudoed Authors