Forward error correction on VPN overlay networks – FortiOS 6.2

Forward error correction on VPN overlay networks

This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC can be used to lower packet loss ratio by consuming more bandwidth. It uses six parameters in IPsec phase1/phase1-interface setting.

l fec-ingress. Disabled by default. l fec-egress. Disabled by default. l fec-base. <1-100>. Default=20. l fec-redundant. <1-100>. Default=10. l fec-send-timeout. <1-1000>. Default=8. l fec-receive-timeout.<1-10000>. Default=5000.

For example, a customer has tow ISP connections, wan1 and wan2. Using these two connections, create two IPsec VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by retransmitting the packets using its backend algorithm.

Sample topology

To configure IPsec VPN:

config vpn ipsec phase1-interface edit “vd1-p1” set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000

next edit “vd1-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2

set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000

next

end

config vpn ipsec phase2-interface edit “vd1-p1”

set phase1name “vd1-p1”

next edit “vd1-p2”

set phase1name “vd1-p2”

next

end

To configure the interface:

config system interface

edit “vd1-p1”

set ip 172.16.211.1 255.255.255.255 set remote-ip 172.16.211.2 255.255.255.255

next edit “vd1-p2”

set ip 172.16.212.1 255.255.255.255 set remote-ip 172.16.212.2 255.255.255.255

next

end

To configure the firewall policy:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end To configure SD-WAN:

config system virtual-wan-link

set status enable config members

edit 1

set interface “vd1-p1” set gateway 172.16.211.2 next

edit 1 set interface “vd2-p2” set gateway 172.16.212.2

next

end

end

To use the diagnose command to check VPN FEC status:

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—————————————————–name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec-egress: base=20 redundant=10 remote_port=50000      <<<<<<<<<<<<<<<<<<<<<< fec-ingress: base=20 redundant=10    <<<<<<<<<<<<<<<<<<<<<< proxyid=demo proto=0 sa=1 ref=2 serial=1

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:173.1.1.0/255.255.255.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42899/43200

dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555 ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4

enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329 ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.