6.4.6 IPSec Aggregate Interfaces
I started down the journey of FortiManager and near zero touch provisioning with CLI Templates. After a solid week of trial and error, I completed the setup this evening and was extremely happy to see the final result, until I tried testing the policies.
My internal network can reach the internet using the SDWan interface, but it cannot reach any resource across the IPSec tunnel. The hit counts aren't even incrementing on any of the policies I'd be hitting. I setup a debug flow and the output below appears to be trying to route into the tunnel but nothing on the policy hit counters on either side.
I am wondering if it's because I used an IPSec aggregate interface on the branch side but not on the Datacenter side. We're in process of upgrading to 6.4.6 and are starting with the branches. The ultimate goal is dual Internet circuits at each site with 2 tunnels to the datacenter, but this site, and most others, currently have a single Internet circuit. The plan was to start with an Aggregate interface with a single member and add members as we add Internet circuits/IPSec tunnels.
2021-06-07 21:53:46 id=20085 trace_id=4 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.10.21.18:1->10.40.252.11:2048) from usmart-wifi-01. type=8, code=0, id=1, seq=99."
2021-06-07 21:53:46 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0000089b, original direction"
2021-06-07 21:53:46 id=20085 trace_id=4 func=npu_handle_session44 line=1165 msg="Trying to offloading session from usmart-wifi-01 to USCHAN, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00040000"
2021-06-07 21:53:46 id=20085 trace_id=4 func=fw_forward_dirty_handler line=395 msg="state=00000204, state2=00000001, npu_state=00040000"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipd_post_route_handler line=490 msg="out USCHAN vwl_zone_id 0, state2 0x1, quality 0.
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipsec_agg_dev_hard_start_xmit line=315 msg="Entering IPSec aggregate USCHAN"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipsec_agg_dev_hard_start_xmit line=325 msg="Using IPSec aggregate tunnel uschan-3"
2021-06-07 21:53:46 id=20085 trace_id=4 func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-uschan-3"
2021-06-07 21:53:46 id=20085 trace_id=4 func=esp_output4 line=898 msg="IPsec encrypt/auth"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipsec_output_finish line=618 msg="send to x.x.x.x via intf-FortiExtender1"