IPsec aggregate to achieve redundancy and traffic load-balancing
The recipe gives a sample configuration of using IPsec aggregate to achieve redundancy and traffic load-balancing:
l Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate l Four load-balancing algorithms: round-robin (default), L3, L4, redundant The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.
To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:
- Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.
The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate: a. Configure HQ1:
config system interface edit “port1” set alias to_ISP1
set ip 172.16.200.1 255.255.255.0
next edit “port2” set alias to_ISP2
set ip 172.17.200.1 255.255.255.0
next
end
config router static edit 1 set gateway 172.16.200.3 set device “port1”
next edit 2 set gateway 172.17.200.3 set device “port2” set priority 100
next
end
- Configure HQ2:
config system interface edit “port25”
set alias to_ISP1
set ip 172.16.202.1 255.255.255.0
next edit “port26” set alias to_ISP2
set ip 172.17.202.1 255.255.255.0
next
end
config router static
edit 1 set gateway 172.16.202.2 set device “port25”
next edit 2 set gateway 172.17.202.2 set device “port26” set priority 100
next
end
- Configure the internal (protected subnet) interface:
- Configure HQ1:
config system interface edit “dmz” set ip 10.1.100.1 255.255.255.0
next
end
- Configure HQ2:
config system interface edit “port9” set ip 172.16.101.1 255.255.255.0
next
end
- Configure the IPsec phase-1 and phase-2 interfaces. On each FortiGate, configure two site-to-site phase-1 interfaces with net-device disable:
- Configure HQ1:
config vpn ipsec phase1-interface edit “pri_HQ2” set interface “port1” set peertype any set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample1
next edit “sec_HQ2” set interface “port2” set peertype any set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.202.1 set psksecret sample2
next end
config vpn ipsec phase2-interface edit “pri_HQ2”
set phase1name “pri_HQ2”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next edit “sec_HQ2” set phase1name “sec_HQ2”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
- Configure HQ2:
config vpn ipsec phase1-interface edit “pri_HQ1” set interface “port25” set peertype any set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample1
next edit “sec_HQ1” set interface “port26” set peertype any set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.200.1 set psksecret sample2
next
end
config vpn ipsec phase2-interface edit “pri_HQ1” set phase1name “pri_HQ1”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next edit “sec_HQ1” set phase1name “sec_HQ1”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
- Configure ipsec-aggregate:
- Configure HQ1:
config system ipsec-aggregate edit “agg_HQ2” set member “pri_HQ2” “sec_HQ2”
next
end
- Configure HQ2:
config system ipsec-aggregate edit “agg_HQ1” set member “pri_HQ” “sec_HQ1”
next
end
- Configure the firewall policy:
- Configure HQ1:
config firewall policy edit 1 set name “inbound” set srcintf “agg_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”
next edit 2 set name “outbound” set srcintf “dmz” set dstintf “agg_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”
next
end
- Configure HQ2:
config firewall policy edit 1 set name “inbound” set srcintf “agg_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”
next edit 2 set name “outbound” set srcintf “port9” set dstintf “agg_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”
next
end
- Assign an IP address to the ipsec-aggregate In this example, OSPF runs over the ipsecaggregate interface. No IP address is required for the static route HQ1: a. Configure HQ1:
config system interface edit “agg_HQ2”
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
next
end
- Configure HQ2:
config system interface edit “agg_HQ1”
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.1 255.255.255.255
next
end
- Configure OSPF:
- Configure HQ1:
config router ospf set router-id 1.1.1.1 config area edit 0.0.0.0 next
end config network
edit 1 set prefix 10.1.100.0 255.255.255.0
next edit 2 set prefix 10.10.10.0 255.255.255.0
next
end
end
- Configure HQ2:
config router ospf set router-id 2.2.2.2 config area edit 0.0.0.0 next
end config network
edit 1 set prefix 172.16.101.0 255.255.255.0
next edit 2 set prefix 10.10.10.0 255.255.255.0
next
end
end
- Run diagnose commands:
- Run the diagnose vpn ike gateway list command. The system should return the following:
vd: root/0 name: pri_HQ2 version: 1 interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 1520s ago
IKE SA: created 1/2 established 1/1 time 10/10/10 ms
IPsec SA: created 2/2 established 1/1 time 0/0/0 ms id/spi: 173 dcdede154681579b/e32f4c48c4349fc0 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: d7230a68d7b83def-588b94495cfa9d38 lifetime/rekey: 86400/84631 DPD sent/recv:
0000000d/00000006 vd: root/0 name: sec_HQ2 version: 1 interface: port2 12
addr: 172.17.200.1:500 -> 172.17.202.1:500
created: 1520s ago
IKE SA: created 1/2 established 1/1 time 10/10/10 ms
IPsec SA: created 2/2 established 1/1 time 0/0/0 ms id/spi: 174 a567bd7bf02a04b5/4251b6254660aee2 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key:
9f44f500c28d8de6-febaae9d1e6a164c lifetime/rekey: 86400/84631 DPD sent/recv:
00000008/0000000c
- Run the diagnose vpn tunnel list command. The system should return the following:
list all ipsec tunnel in vd 0
name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=7 ilast=5 olast=5 ad=/0 stat: rxp=39 txp=40 rxb=5448 txb=2732
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41230/0B replaywin=2048
seqno=29 esn=0 replaywin_lastseq=00000028 itn=0
life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=1071b4f9 esp=aes key=16
1f4dbb78bea8e97650b52d8170b5ece7 ah=sha1 key=20 cd9bf2de0f49296cf489dd915d7baf6d78bc8f12
enc: spi=ec89b7ee esp=aes key=16 0546efecd0d1b9ba5944f635896e4404 ah=sha1 key=20 34599bc7dc25e1ce63ac9615bd50928ce0667dc8
dec:pkts/bytes=39/2796, enc:pkts/bytes=40/5456
name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=15 ad=/0 stat: rxp=38 txp=39 rxb=5152 txb=2768
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=20 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41231/0B replaywin=2048
seqno=28 esn=0 replaywin_lastseq=00000027 itn=0
life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=1071b4f8 esp=aes key=16
142cce377b3432ba41e64128ade6848c ah=sha1 key=20 20e64947e2397123f561584321adc0e7aa0c342d
enc: spi=ec89b7ed esp=aes key=16 2ec13622fd60dacce3d28ebe5fe7ab14 ah=sha1 key=20 c1787497508a87f40c73c0db0e835c70b3c3f42d
dec:pkts/bytes=38/2568, enc:pkts/bytes=39/5432
- Run the diagnose sys ipsec-aggregate list The system should return the following:
agg_HQ2 algo=RR member=2 run_tally=2 members: pri_HQ2 sec_HQ2
- Run the get router info ospf neighbor The system should return the following:
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1. Full/ – 00:00:34 10.10.10.2 agg1_HQ2
- Run the get router info routing-table ospf The system should return the following:
Routing table for VRF=0
O 172.16.101.0/24 [110/20] via 10.10.10.2, agg1_HQ2 , 00:18:43
Hello Mike,
First, hope you’re fine.
I’ve some questions about ipsec tunnels.
I’m actually using ipsec redundant aggregate (fortiOS 6.4.10), but I’m not sure about the best configuration to choose :
IPSec Aggregate
or
IPsec tunnels with low coast routing and link monitor.
Second question, with aggregate ipsec, do we really need to configure OPSF ?
Thanks,
Jean-Luc
Hi, I’m working with aggregate but I am checking that after disable the interface where ipsec peer is bound, the another peer shows the vpn ipsec up. After change the encryption and dh groups the vpn ipsec status works, do you know why ?