Helpful ReplyHot!Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantly

Author
ergotherego
Silver Member
  • Total Posts : 74
  • Scores: 4
  • Reward points: 0
  • Status: offline
2017/08/14 21:20:58 (permalink)
5 (1)

Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantly

Ran into this issue today and figured I would post the solution, since I couldn't find it.
 
Situation is a VPN hub/concentrator running 5.2.8 with multiple IPSec VPN peers configured as dynamic/dialup peers. When testing the new firewalls one at a time before shipping out, each one worked fine. But after users received them at their site, none worked. They all kept bouncing up and down. Tunnels would establish, and then with 2-3 seconds go back down again, over and over.
 
The solution was to disable add-route under the Phase 1 settings for each VPN peer:
 
config vpn ipsec phase1-interface
    edit "DVPN-PEER-1"
        set add-route disable
    next
end

 
I didn't capture the log message, but what was seen was a message indicating that route 0.0.0.0/0 was being passed from one VPN to the other. Since Phase 2 selectors are set to all zeroes, and add-route is enabled by default for a dynamic peer, the hub firewall was adding a static route for 0.0.0.0/0 each time a VPN came up.
 
It didn't affect any other VPN tunnels or traffic, just the dynamic peers; guessing due to route cache.
 
Ps. I also didn't see that message about shifting routes until I configured a VPN debug filter using the known destination address of a VPN peer. With just ike debugging set to -1 I never saw that message.
#1
Toshi Esumi
Gold Member
  • Total Posts : 389
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/15 09:25:40 (permalink)
0
I don't know it's in RFC or not but FG has been working that way with aggressive mode IPSec and IKEv2 dynamic. If you're separating phase1-interfaces per peer, not accommodating all peers with one phase1-interface with peer IP pool like for dialup clients, you need to specify unique selectors (subnet pairs between source and destination) per peer. And those remote subnets are injected into the routing-table as static routes on the HUB side so that you don't have to configure static routes manually.
When we've learned this years ago, it probably didn't have the add-route disable option you discovered so we've never tried the same 0/0<->0/0 default selector for those and run a routing protocol over the tunnel.
Thank you for the info I want to test this myself further.
#2
jackjohn
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/07 16:34:57
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/17 07:43:04 (permalink)
0
Thank you for info.
 
Im having the same issue.
We are trying to have 2 dial VPN tunnel in 1 Branch, conecting to HQ with 2 ISP.
The idea is to have redundant if 1 ISP in HQ down.
Like you, both tunnel go up and down every 2 seconds.
We set disable route as you suggest, now both tunnel up.
 
Now Im working to add route, maybe I try OSPF over two tunnel.
 
thank you
 
 
#3
ergotherego
Silver Member
  • Total Posts : 74
  • Scores: 4
  • Reward points: 0
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/17 09:03:28 (permalink)
0
jackjohn,
 
You will need to run a routing protocol for sure. You can't add static routes pointing to a dial-up IPSec tunnel, and if you disable add-route, the only mechanism left for routing is to use a dynamic routing protocol.
#4
jackjohn
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/07 16:34:57
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/18 17:15:58 (permalink)
0
I just setup simple RIP as routing protocol. 
I find new issue, not related to IPsec.
in my HQ routing monitor, the prefered path is using tunnel1.
in Branch routing monitor, the prefered path is using tunnel2.
 
This way , my traffic cannot go thru unless I set RIP to listen on 1 tunnel only.
My guess is assymetric routing issue.
 
Is this expected in RIP ?
 
 
 
#5
emnoc
Expert Member
  • Total Posts : 4215
  • Scores: 237
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/19 03:31:16 (permalink) ☄ Helpfulby jackjohn 2017/08/22 03:19:52
0
Just offset the rip hops on one link to ensure traffic is preferred over the other. Just use one side to offset in or out for the offset and that will  increase the metric for the networks that matches.
 
Take a look at the following for a example.
 
https://forum.fortinet.com/tm.aspx?m=131494

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#6
jackjohn
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/07 16:34:57
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/19 21:21:33 (permalink)
0
Seting offset done.
Still ,metric in "get router info rip database" not change.
I tweak direction in/out , set status enable/disable, still no luck.
 
I try to apply the same RIP/offset setting to other branch that using IP sec directly ( not dial up).
It is working fine. the metric did change to new value.
 
So its the IP sec dial up interface that should be the issue.
I found that interface dialup IP sec has VPN_Tunnel_0 extension in naming.
This might be the issue,as I apply offset list to VPN_tunnel interface.
 
But strange this is, RIP is able to distribute route using interface VPN_tunnel from the beginning, as I can see the route. Only problem is the prefered path is different in HQ Fortigate and Branch Fortigate.
If Im using only one VPN_Tunnel, there is no issue.
 
How can it not be able to do so in offset list , or do I need to look somewhere else ?
 
 
 
 
 
 
#7
jackjohn
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/07 16:34:57
  • Status: offline
Re: Multiple dynamic / dial-up IPSec VPN peers not working - tunnels up and down constantl 2017/08/19 23:27:13 (permalink)
0
I got it working.
 
My workaround  is to setup offset list in the Branch Fortigate instead in HQ.
This can be done ,since the VPN name in branch is named VPN_tunnel , without _0 in the end like in the HQ.
And I guess its accepted by offset list setting.
When I hit : get router info rip database , it finally working. Metric shows the new value.
Now my 2 tunnel is working as failover, using Dial up IPSEC.
 
I also had chance to experiment using OSPF, but OSPF completely would not distribute route via VPN_tunnel_0 ,that even routing will not propagate.
I dont know why is that, but RIP is the  solution for me. Somehow surprised by that.
 
Thank you.
 
#8
Jump to:
© 2017 APG vNext Commercial Version 5.5