- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Redundant IPSec and routing - I need some workarou...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Redundant IPSec and routing - I need some workaround
I have this constellation:
FGT A (Shopsite) has static WAN IPs
FGT B (on events) has dynamic WAN IP(s) and is not allways online
Between FGT A and B is two IPSec Tunnels which should provide redundancy.
Due to reasons (to me this is still bugs in FortiOS even if TAC still refuses to aknowledge them) the only way is to use Dial Up tunnels. That is because on S2S every side needs to know the opposite remote gateway. FortiOS does support the use of DDNS/FQDN as remote gw but without p1 autonegotation or oif the ipsec is in listening Mode on FGT A it does not update the gateway ip. So S2S will go down upon first ip change and not come up again.
To workaround this I use dial up because that always is in listenig mode in FGT A and it does not need to know the remote gw.
To achieve redundancy I use sdwan vpn. However with dial up tunnels on FGT A the sdwan fails to select the correct member and route once the link status of the ipsec changes. This seems to be due to the fact that dial up tunnels get enumerated because they support concurrent tunnels.
So to still achieve automagic redundancy on that pair of ipsecs I need a way to adverize or announce the corrent route(s) once one ipsec comes up. Probably with some metric to not run into troubles if both are up ;)
I thought of BGP or similar but the examples I yet found on the net were too complex.
Does anyone have any advice what is best practice to achieve this?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Solved! Go to Solution.
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Few pointers here,
1.) Add-route should be disabled on FGTA under IPsec Configuration to avoid adding of routes during dynamic IPsec negotiation
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/534155/dynamic-ipsec-route-c...
2.) Mode-cfg to be disabled on FGTA and FGTB and number the tunnel interface on each FGT's with an IP of /29 subnet mask.
3.) set net-device disable - Dedicated interface not created on Hub for each dialup client and instead a Shared interface used for each dialup client and uses next-hop tunnel index for encrypting the payload.
4.) set tunnel-search nexthop - Configure under VPN Phase1 and to be used when IPsec routes are learned from a dynamic routing protocol
5.) set exchange-interface-ip enable - Enabled on both FGT's to allow the exchange of IPsec interface IP addresses. This allows a point to multipoint connection to the hub FortiGate.
6.) Run BGP or OSPF across IPsec Tunnels to advertise the required routes across the tunnel using Local Preference (BGP) or Cost (OSPF) as a metric to select the desired path.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Controlling-OSPF-routes-in-case-of-paralle...
7.) SDWAN Rule to give preference to Tunnel1 over Tunnel 2 - So if tunnel1 goes down or routes are not available via tunnel1, FGT will select the tunnel2 provided it has a valid route.
Regards,
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Few pointers here,
1.) Add-route should be disabled on FGTA under IPsec Configuration to avoid adding of routes during dynamic IPsec negotiation
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/534155/dynamic-ipsec-route-c...
2.) Mode-cfg to be disabled on FGTA and FGTB and number the tunnel interface on each FGT's with an IP of /29 subnet mask.
3.) set net-device disable - Dedicated interface not created on Hub for each dialup client and instead a Shared interface used for each dialup client and uses next-hop tunnel index for encrypting the payload.
4.) set tunnel-search nexthop - Configure under VPN Phase1 and to be used when IPsec routes are learned from a dynamic routing protocol
5.) set exchange-interface-ip enable - Enabled on both FGT's to allow the exchange of IPsec interface IP addresses. This allows a point to multipoint connection to the hub FortiGate.
6.) Run BGP or OSPF across IPsec Tunnels to advertise the required routes across the tunnel using Local Preference (BGP) or Cost (OSPF) as a metric to select the desired path.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Controlling-OSPF-routes-in-case-of-paralle...
7.) SDWAN Rule to give preference to Tunnel1 over Tunnel 2 - So if tunnel1 goes down or routes are not available via tunnel1, FGT will select the tunnel2 provided it has a valid route.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the document you mention after 2. (or is that in 2.) says set net-device and set tunnel-search are removed in 7.0. set net-device still existes on a FGT60E running 7.0.12 here but set tunnel-search doesn't.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for pointing out that, you can ignore that statement as there is slight change in the behavior in 7.0 onwards.
Let me know if you have any further questions.
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after some testing:
I've two IPSec Tunnels on a 60E yanked to wan1 and wan2. On the 60E this is a SDWAN-Zone (that even does not atm have any sdwan rule). Both terminate on the 300E here at HQ.
So to stay in my scheme the 300E would equal to FGT A and the 60E to FGT B.
add route is disabled on the 300E IPSec Tunnel (atm both tunnels terminate on the same ipsec on the 300E hence there is only one wan line available here). net-device is disabled on both FGT on all three IPSecs.
The 60E has a route to a subnet at HQ with the sdwan zone as interface and the HQ FGT300E as gw. Also I set a prio to the sd-wan zone members in the vpn zone.
The 300E has no sdwan vpn for this. It has redundant static routing for the subnet behind the 60E with prios set.
Both FGT have the required policies.
If I plug the wan1 (VPN 1 is yanked to that) to the internet on the 60E the first tunnel comes up and I can see a vaild route to our subnet for vpn traffic from the 60E on the 300E. I can ping and https the 60E from my pc at HQ office. Fine so far.
Now I unplugged wan1 again and waited for DPD to detect that tunnel down and once that happened I plugged wan2 in. Now the 2nd IPSec on the 60E came up and again I see a vaild route on the 300E and I can ping and https to the 60E again.
So this is now working as it is supposed to. Will give it some more testing though.
So far many thx for your pointers as they led me to the right path :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Test Demo Network 289 Views
- BUG in Mature Firmware? - msg="iprope_in_check()... 1208 Views
- Best VPN option for backup ISP... 439 Views
- Idea for VPN S2S design -... 385 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.