Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheJaeene
Contributor

FAPC24JE IPSEC Datachannel

Hi @all,  

 

has anybody succeeded in connecting a FAPC24JE as a Remote AP with IPSEC Datachannel security?

It kinda seems to work, I see the WLC FGT responding to IKE requests..... but I wasnt able to establish a IPSEC Datachannel.

It could be the WAN Setup on the remote side.... but to rule that out I posted this question ;)

 

Regards,

 

Jan

6 REPLIES 6
JayD_FTNT
Staff
Staff

Hi Jan,

 

It is working in latest GA build 222. May I please know which build was used to test ipsec data-channel security?

 

Thanks,

Jay

TheJaeene

Hi Jay,

 

I was testing with Build 222. So the problem seems to be with the WAN Link not passing UDP 4500 here.

Thanks and Regards,

 

Jan

JayD_FTNT

Hi Jan,

Can you please share following info from your set-up?

1. Fortigate name and firmware used

2. wtp-profile applied to C24JE

 

I'm able to form ipsec data channel security with Fortigate which is behind NATed WAN.

 

Thanks,

Jay

 

TheJaeene

Hi Jay,

 

sure.

 

Fortigate used is a FGT81E-POE running FortiOS 6.2.1 (other APs 21D,223E, running IPSEC Datachannels work fine)

config wireless-controller wtp-profile
edit "FAPC24JE-DE"
config platform
set type C24JE
end
config lan
set port1-mode bridge-to-wan
set port2-mode bridge-to-wan
set port3-mode bridge-to-wan
end
set dtls-policy dtls-enabled ipsec-vpn
set handoff-sta-thresh 30
set ap-country DE
set allowaccess https ssh
set login-passwd-change default
config radio-1
set band 802.11n,g-only
set darrp enable
set frequency-handoff enable
set ap-handoff enable
set vap-all disable
set vaps "SSID1"
set channel "1" "6" "11"
end
config radio-2
set band 802.11ac,n-only
set short-guard-interval enable
set channel-bonding 40MHz
set darrp enable
set frequency-handoff enable
set ap-handoff enable
set vap-all disable
set vaps "SSID1"
set channel "36" "44"
end
next
end

 

 

 

 

I´m assuming that the Router on Site which is doing the NAT (not a FGT!) messes up the NAT-T Traffic or the IKE replies. The FGT´s Log says that a WLC User was created "User added local user wlc-user from cw_acd" and IKE tries to establish without success. We are using small FAP21D on other remote sites to establish IP connectivity on the FAP21D´s LAN Port via IPSEC Datachannel.... So to speak a "very low cost IPSEC endpoint" for just one device. It worked fine for years, but now the FAP21D got discontinued and I wanted to try the Setup with FAPC24JE´s.

 

I will try It once I moved the FAPC24JE´s to a new Site with a different router. Thanks and Regards, Jan

JayD_FTNT

Hi Jan,

Thank you for sharing the information. Yes, please let me know if it does not work once you move C24JE behind a router which allows UDP 4500.

 

Jay

TheJaeene

Hi Jay,

 

now it works as expected  

 

 

Jan

Labels
Top Kudoed Authors