6.4.6 IPSec Aggregate Interfaces

Author
jokes54321
Bronze Member
  • Total Posts : 25
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/04/14 11:05:50
  • Status: offline
2021/06/07 22:12:44 (permalink)
0

6.4.6 IPSec Aggregate Interfaces

I started down the journey of FortiManager and near zero touch provisioning with CLI Templates. After a solid week of trial and error, I completed the setup this evening and was extremely happy to see the final result, until I tried testing the policies. 
 
My internal network can reach the internet using the SDWan interface, but it cannot reach any resource across the IPSec tunnel. The hit counts aren't even incrementing on any of the policies I'd be hitting.  I setup a debug flow and the output below appears to be trying to route into the tunnel but nothing on the policy hit counters on either side.
 
I am wondering if it's because I used an IPSec aggregate interface on the branch side but not on the Datacenter side. We're in process of upgrading to 6.4.6 and are starting with the branches. The ultimate goal is dual Internet circuits at each site with 2 tunnels to the datacenter, but this site, and most others, currently have a single Internet circuit.  The plan was to start with an Aggregate interface with a single member and add members as we add Internet circuits/IPSec tunnels. 
 
 
 
 
 
2021-06-07 21:53:46 id=20085 trace_id=4 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.10.21.18:1->10.40.252.11:2048) from usmart-wifi-01. type=8, code=0, id=1, seq=99."
2021-06-07 21:53:46 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0000089b, original direction"
2021-06-07 21:53:46 id=20085 trace_id=4 func=npu_handle_session44 line=1165 msg="Trying to offloading session from usmart-wifi-01 to USCHAN, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00040000"
2021-06-07 21:53:46 id=20085 trace_id=4 func=fw_forward_dirty_handler line=395 msg="state=00000204, state2=00000001, npu_state=00040000"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipd_post_route_handler line=490 msg="out USCHAN vwl_zone_id 0, state2 0x1, quality 0.
"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipsec_agg_dev_hard_start_xmit line=315 msg="Entering IPSec aggregate USCHAN"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipsec_agg_dev_hard_start_xmit line=325 msg="Using IPSec aggregate tunnel uschan-3"
2021-06-07 21:53:46 id=20085 trace_id=4 func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-uschan-3"
2021-06-07 21:53:46 id=20085 trace_id=4 func=esp_output4 line=898 msg="IPsec encrypt/auth"
2021-06-07 21:53:46 id=20085 trace_id=4 func=ipsec_output_finish line=618 msg="send to x.x.x.x via intf-FortiExtender1"
 
#1

2 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6137
    • Scores: 422
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: 6.4.6 IPSec Aggregate Interfaces 2021/06/08 02:33:55 (permalink)
    0
    Will the whole purpose of aggregate-ipsec is to have 2 ipsec members.
     
    What does your 
     
    show system ipsec-aggregate on the HUB side who you ?
     
    And  diag system ipsec-aggregate list shows for HQ and SPOKE?
     
    and finally routing?
     
    get router infor routing all 
     
    I would look at that 1st and if you are not doing aggregate on one side, I do not see how this would even work.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    jokes54321
    Bronze Member
    • Total Posts : 25
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/04/14 11:05:50
    • Status: offline
    Re: 6.4.6 IPSec Aggregate Interfaces 2021/06/08 09:15:31 (permalink)
    0
    I appreciate the response. Long term, the plan is to add a second IPSec tunnel, I was just hoping to lay the foundation now so when the second Internet circuit/tunnel is added, it would just be a matter of adding the tunnel to the aggregate. 

    Rather than using aggregate, I decided to switch to an SDWAN zone instead. This is my first time adding a second SDWAN zone and I am happy to see my testing is working out. 
     
    Now to rework all of my FortiManager scripts
    #3
    Jump to:
    © 2021 APG vNext Commercial Version 5.5