Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown
New Contributor

Dialup Tunnel Setup with SDWAN at the Branch Site

Hi all

 

I have a specific request to setup sdwan at a branch site,  the branch site will run version 6.2.1 and the ipsec tunnels will terminating to a perimeter  multi tenant firewall running version 5.2.7.  I am planning to setup dialup tunnels as the remote branch wan ip's will be dynamic using LTE or 3G. The issue I have is the version 5.2.7 perimeter firewall does not add the peer tunnel ip in the routing table.  I did this similar setup on later versions and did not experience the same issue. I cannot upgrade the perimeter firewall, I will need to do dynamic routing across the tunnels when I setup the bpg and the peer bgp  request  hits the perimeter firewall the traffic gets dropped due to reverse path check

 

here is my setup on the perimeter side.

 

config vpn ipsec phase1-interface edit "www1" set type dynamic set interface "wan1" set nattraversal disable set mode aggressive set add-route disable set dpd-retrycount 2 set dpd-retryinterval 1 next edit "www2" set type dynamic set interface "wan2" set nattraversal disable set mode aggressive set add-route disable set dhgrp 5 set dpd-retrycount 2 set dpd-retryinterval 1 next end

 

config vpn ipsec phase2-interface edit "www1" set phase1name "www1" set dhgrp 5 set keepalive enable next edit "www2" set phase1name "www2" set dhgrp 5 set keepalive enable next end

 

edit "www1" set vdom "root" set ip 10.11.6.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.11.6.254 set snmp-index 14 set interface "wan1" next edit "www2" set vdom "root" set ip 10.11.7.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.11.7.254 set snmp-index 15 set interface "wan2" next

As per the below I dont see the peer ip which is 10.11.6.2 and 10.11.7.2

 

dc # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

C 10.1.20.0/30 is directly connected, looback-1 C 10.11.6.1/32 is directly connected, www1_0 C 10.11.6.254/32 is directly connected, www1_0 C 10.11.7.1/32 is directly connected,www2_0 C 10.115.97.254/32 is directly connected, www2_0 C 10.120.192.0/24 is directly connected, port1

 

 

 

5 REPLIES 5
smari
New Contributor

So the remote ip on the tunnel interface is .2 ?

Is there any reason you have the remote-ip 10.11.6.254 and 10.11.7.254 ?

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

 

NSE7, FMG, FAC, FAZ . 1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
unknown
New Contributor

The reason for that is the configuration is based on on pilot I did some time ago running version 6.2 on both sides, the version 5.2.7 does not allow me to add the subnet mask in the ip. I would assume I can add the remote ip and make it 10.115.6.2 but how with that scale out with multpile branches.

smari
New Contributor

It doesn't scale, it's just a peer-to-peer type of scenario.

If I was doing scenario like that with multiple branches I would switch to mode-cfg on the hub and assign ip addresses  dynamically to the dialup clients.

Then run ospf over the dialup connection.

Done that a few times with good results.

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/OSPF_Dynamic_IPsec/O...

Only reason I would use bgp would be I was doing advpn, which is not supported in 5.2 .

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

 

NSE7, FMG, FAC, FAZ . 1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
unknown
New Contributor

configured config mode, using bgp for dynamic routing  but hit another issue  a getting selector issue when pinging from perimiter to branch and vice versa

 

dc # 2019-08-28 09:46:05 id=20085 trace_id=296 func=resolve_ip_tuple_fast line=4310 msg="vd-root received a packet(proto=1, 10.11.8.129:7168->10.11.8.1:8) from local." 2019-08-28 09:46:05 id=20085 trace_id=296 func=init_ip_session_common line=4438 msg="allocate a new session-0001bf3b" 2019-08-28 09:46:05 id=20085 trace_id=296 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-wan-www1_0"

 

 

config vpn ipsec phase1-interface     edit "www1"         set type dynamic         set interface "dc-wan1"         set nattraversal disable         set mode aggressive         set mode-cfg enable         set ipv4-dns-server1 8.8.8.8         set add-route disable         set ipv4-start-ip 10.11.6.4         set ipv4-end-ip 10.11.6.7         set ipv4-netmask 255.255.255.0      

 

dc # get vpn  ipsec  tunnel  name  www1_0 de gateway   name: 'wan-www1_0'   type: route-based   local-gateway: 172.16.2.2:0 (static)   remote-gateway: 172.16.1.2:0 (dynamic)   mode: ike-v1   interface: 'dc-wan1' (8)   rx  packets: 1185  bytes: 141592  errors: 0   tx  packets: 231  bytes: 14516  errors: 69   dpd: enabled/negotiated  idle: 1000ms  retry: 2  count: 0   selectors     name: 'wan-www1'     auto-negotiate: disable     mode: tunnel     src: 0:0.0.0.0-255.255.255.255:0     dst: 0:10.11.6.5-10.11.6.5:0     SA       lifetime/rekey: 43200/37081          mtu: 1446       tx-esp-seq: e8       replay: enabled       inbound         spi: a9c2f9ff         enc:     des  45b91fc8132ff150         auth:    md5  459ece5572d6b04c583a26e9308e013a       outbound         spi: fc0fb2ac         enc:     des  ff9315f915184a48         auth:    md5  e2c2b3e38d615cdd828dbc3fcc80da32

 

dc #  get router  info routing-table  details  10.11.8.0 Routing entry for 10.11.8.0/25   Known via "bgp", distance 20, metric 0, best   Last update 00:37:12 ago   * 10.11.6.5, via www1_0

 

smari
New Contributor

BGP over dynamic ipsec is a litle different :

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/BGP_Dynamic_IPsec/Config...

You need to change the config to match and create loopback interfaces on each fortigate 

to use as a peer address.

After that you should get this up and running.

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

 

NSE7, FMG, FAC, FAZ . 1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
Labels
Top Kudoed Authors