SDWAN Advanced – FortiOS 6.2.0

Per packet distribution and tunnel aggregation

This topic shows an example of how to aggregate IPSec tunnels. This example shows how to make per-packet loadbalancing among IPSec tunnels.

For example, a customer has two ISP connections, wan1 and wan2. Using these two connections, we create two VPN interfaces and configure traffic for per-packet load-balancing among IPSec tunnels.

This feature only allows static/DDNS tunnels to be members.

Dynamic (dialup) tunnels are not allowed because dialup instances tend to have different locations and hence different routings. This conflicts with the rule that all the members of an aggregate must have the same routing.

Sample topology

Sample configuration

On the FortiGate, first create two IPsec VPN interfaces. Then create an ipsec-aggregate interface and add this interface as an SD-WAN member.

FortiGate 1 configuration

To create two IPsec VPN interfaces on FortiGate 1:

config vpn ipsec phase1-interface edit “vd1-p1” set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234

next edit “vd1-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2 set psksecret ftnt1234

next

end

config vpn ipsec phase2-interface edit “vd1-p1” set phase1name “vd1-p1”

next edit “vd1-p2” set phase1name “vd1-p2”

next

end

To create an ipsec-aggregate interface on FortiGate 1:

config system ipsec-aggregate edit “agg1”

set member “vd1-p1” “vd1-p2” set algorithm L3

next

end config system interface edit “agg1”

set vdom “root” set ip 172.16.11.1 255.255.255.255 set allowaccess ping set remote-ip 172.16.11.2 255.255.255.255

end

To configure the firewall policy on FortiGate 1:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To configure SD-WAN on FortiGate 1:

config system virtual-wan-link

set status enable config members

edit 1

set interface “agg1” set gateway 172.16.11.2

next end

end

FortiGate 2 configuration

To create two IPsec VPN interfaces on FortiGate 2:

config vpn ipsec phase1-interface

edit “vd2-p1”

set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.200.1 set psksecret ftnt1234

next edit “vd2-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.203.1 set psksecret ftnt1234

next

end

config vpn ipsec phase2-interface edit “vd2-p1”

set phase1name “vd2-p1”

next edit “vd2-p2”

set phase1name “vd2-p2”

next

end

To create an ipsec-aggregate interface on FortiGate 2:

config system ipsec-aggregate

edit “agg2”

set member “vd2-p1” “vd2-p2” set algorithm L3

next

end config system interface edit “agg2”

set vdom “root” set ip 172.16.11.2 255.255.255.255 set allowaccess ping set remote-ip 172.16.11.1 255.255.255.255

next

end

To configure the firewall policy on FortiGate 2:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To configure SD-WAN on FortiGate 2:

config system virtual-wan-link

set status enable config members edit 1 set interface “agg2” set gateway 172.16.11.1

next

end

end

To use the diagnose command to display aggregate IPSec members:

# diagnose sys ipsec-aggregate list agg1 algo=L3 member=2 run_tally=2 members:

vd1-p1 vd1-p2

To use the diagnose command to check VPN status:

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—————————————————–name=vd1-p1 ver=1 serial=2 172.16.200.1:0->172.16.201.2:0 dst_mtu=0

bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=1 accept_traffic=0

proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=676 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vd1-p1 proto=0 sa=0 ref=1 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=vd1-p2 ver=1 serial=3 172.16.203.1:0->172.16.202.2:0 dst_mtu=1500

bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=12 ilast=1 olast=1 ad=/0 stat: rxp=1 txp=1686 rxb=16602 txb=111717

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vd1-p2 proto=0 sa=1 ref=9 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=4 options=10226 type=00 soft=0 mtu=1438 expire=42164/0B replaywin=2048 seqno=697 esn=0 replaywin_lastseq=00000002 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42902/43200

dec: spi=f6ae9f83 esp=aes key=16 f6855c72295e3c5c49646530e6b96002 ah=sha1 key=20 f983430d6c161d0a4cd9007c7ae057f1ff011334

enc: spi=8c72ba1a esp=aes key=16 6330f8c532a6ca5c5765f6a9a6034427 ah=sha1 key=20 e5fe385ed5f0f6a33f1d507601b15743a8c70187

dec:pkts/bytes=1/16536, enc:pkts/bytes=1686/223872

npu_flag=02 npu_rgwy=172.16.202.2 npu_lgwy=172.16.203.1 npu_selid=2 dec_npuid=1 enc_npuid=0

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “SDWAN Advanced – FortiOS 6.2.0

  1. Mark Reid

    I am trying to find documentation and some understanding on the different algorithms L3, L4, round-robin, and redundant. I have two WAN links to each site an expensive good connection, and a cheap not as good connection. I want my good connection to always be primary unless there is significant packet loss. Can I accomplish this in 6.2 using this method? My next question would be is there anyway to solve this problem using 6.0.8, as I am not quite ready to upgrade to 6.2 yet, unless I have to in order to solve my problem.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.