IPsec aggregate to achieve redundancy and traffic load-balancing

IPsec aggregate to achieve redundancy and traffic load-balancing

The recipe gives a sample configuration of using IPsec aggregate to achieve redundancy and traffic load-balancing:

l Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate l Four load-balancing algorithms: round-robin (default), L3, L4, redundant The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:

  1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.

The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate: a. Configure HQ1:

config system interface edit “port1” set alias to_ISP1

set ip 172.16.200.1 255.255.255.0

next edit “port2” set alias to_ISP2

set ip 172.17.200.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next edit 2 set gateway 172.17.200.3 set device “port2” set priority 100

next

end

  1. Configure HQ2:

config system interface edit “port25”

set alias to_ISP1

set ip 172.16.202.1 255.255.255.0

next edit “port26” set alias to_ISP2

set ip 172.17.202.1 255.255.255.0

next

end

config router static

edit 1 set gateway 172.16.202.2 set device “port25”

next edit 2 set gateway 172.17.202.2 set device “port26” set priority 100

next

end

  1. Configure the internal (protected subnet) interface:
    1. Configure HQ1:

config system interface edit “dmz” set ip 10.1.100.1 255.255.255.0

next

end

  1. Configure HQ2:

config system interface edit “port9” set ip 172.16.101.1 255.255.255.0

next

end

  1. Configure the IPsec phase-1 and phase-2 interfaces. On each FortiGate, configure two site-to-site phase-1 interfaces with net-device disable:
    1. Configure HQ1:

config vpn ipsec phase1-interface edit “pri_HQ2” set interface “port1” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample1

next edit “sec_HQ2” set interface “port2” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.202.1 set psksecret sample2

next end

config vpn ipsec phase2-interface edit “pri_HQ2”

set phase1name “pri_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next edit “sec_HQ2” set phase1name “sec_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next

end

  1. Configure HQ2:

config vpn ipsec phase1-interface edit “pri_HQ1” set interface “port25” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample1

next edit “sec_HQ1” set interface “port26” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.200.1 set psksecret sample2

next

end

config vpn ipsec phase2-interface edit “pri_HQ1” set phase1name “pri_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next edit “sec_HQ1” set phase1name “sec_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next

end

  1. Configure ipsec-aggregate:
    1. Configure HQ1:

config system ipsec-aggregate edit “agg_HQ2” set member “pri_HQ2” “sec_HQ2”

next

end

  1. Configure HQ2:

config system ipsec-aggregate edit “agg_HQ1” set member “pri_HQ” “sec_HQ1”

next

end

  1. Configure the firewall policy:
    1. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “agg_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “agg_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “agg_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “port9” set dstintf “agg_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Assign an IP address to the ipsec-aggregate In this example, OSPF runs over the ipsecaggregate interface. No IP address is required for the static route HQ1: a. Configure HQ1:

config system interface edit “agg_HQ2”

set ip 10.10.10.1 255.255.255.255

set remote-ip 10.10.10.2 255.255.255.255

next

end

  1. Configure HQ2:

config system interface edit “agg_HQ1”

set ip 10.10.10.2 255.255.255.255

set remote-ip 10.10.10.1 255.255.255.255

next

end

  1. Configure OSPF:
  2. Configure HQ1:

config router ospf set router-id 1.1.1.1 config area edit 0.0.0.0 next

end config network

edit 1 set prefix 10.1.100.0 255.255.255.0

next edit 2 set prefix 10.10.10.0 255.255.255.0

next

end

end

  1. Configure HQ2:

config router ospf set router-id 2.2.2.2 config area edit 0.0.0.0 next

end config network

edit 1 set prefix 172.16.101.0 255.255.255.0

next edit 2 set prefix 10.10.10.0 255.255.255.0

next

end

end

  1. Run diagnose commands:
  2. Run the diagnose vpn ike gateway list command. The system should return the following:

vd: root/0 name: pri_HQ2 version: 1 interface: port1 11

addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 1520s ago

IKE SA: created 1/2 established 1/1 time 10/10/10 ms

IPsec SA: created 2/2 established 1/1 time 0/0/0 ms id/spi: 173 dcdede154681579b/e32f4c48c4349fc0 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: d7230a68d7b83def-588b94495cfa9d38 lifetime/rekey: 86400/84631 DPD sent/recv:

0000000d/00000006 vd: root/0 name: sec_HQ2 version: 1 interface: port2 12

addr: 172.17.200.1:500 -> 172.17.202.1:500

created: 1520s ago

IKE SA: created 1/2 established 1/1 time 10/10/10 ms

IPsec SA: created 2/2 established 1/1 time 0/0/0 ms id/spi: 174 a567bd7bf02a04b5/4251b6254660aee2 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key:

9f44f500c28d8de6-febaae9d1e6a164c lifetime/rekey: 86400/84631 DPD sent/recv:

00000008/0000000c

  1. Run the diagnose vpn tunnel list command. The system should return the following:

list all ipsec tunnel in vd 0

name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=7 ilast=5 olast=5 ad=/0 stat: rxp=39 txp=40 rxb=5448 txb=2732

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41230/0B replaywin=2048

seqno=29 esn=0 replaywin_lastseq=00000028 itn=0

life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=1071b4f9 esp=aes key=16

1f4dbb78bea8e97650b52d8170b5ece7 ah=sha1 key=20 cd9bf2de0f49296cf489dd915d7baf6d78bc8f12

enc: spi=ec89b7ee esp=aes key=16 0546efecd0d1b9ba5944f635896e4404 ah=sha1 key=20 34599bc7dc25e1ce63ac9615bd50928ce0667dc8

dec:pkts/bytes=39/2796, enc:pkts/bytes=40/5456

name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=15 ad=/0 stat: rxp=38 txp=39 rxb=5152 txb=2768

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=20 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41231/0B replaywin=2048

seqno=28 esn=0 replaywin_lastseq=00000027 itn=0

life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=1071b4f8 esp=aes key=16

142cce377b3432ba41e64128ade6848c ah=sha1 key=20 20e64947e2397123f561584321adc0e7aa0c342d

enc: spi=ec89b7ed esp=aes key=16 2ec13622fd60dacce3d28ebe5fe7ab14 ah=sha1 key=20 c1787497508a87f40c73c0db0e835c70b3c3f42d

dec:pkts/bytes=38/2568, enc:pkts/bytes=39/5432

  1. Run the diagnose sys ipsec-aggregate list The system should return the following:

agg_HQ2 algo=RR member=2 run_tally=2 members: pri_HQ2 sec_HQ2

  1. Run the get router info ospf neighbor The system should return the following:

OSPF process 0, VRF 0:

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1. Full/ – 00:00:34 10.10.10.2 agg1_HQ2

  1. Run the get router info routing-table ospf The system should return the following:

Routing table for VRF=0

O 172.16.101.0/24 [110/20] via 10.10.10.2, agg1_HQ2 , 00:18:43

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “IPsec aggregate to achieve redundancy and traffic load-balancing

  1. Jean-Luc

    Hello Mike,
    First, hope you’re fine.
    I’ve some questions about ipsec tunnels.
    I’m actually using ipsec redundant aggregate (fortiOS 6.4.10), but I’m not sure about the best configuration to choose :
    IPSec Aggregate
    or
    IPsec tunnels with low coast routing and link monitor.

    Second question, with aggregate ipsec, do we really need to configure OPSF ?

    Thanks,
    Jean-Luc

    Reply
  2. alfonso

    Hi, I’m working with aggregate but I am checking that after disable the interface where ipsec peer is bound, the another peer shows the vpn ipsec up. After change the encryption and dh groups the vpn ipsec status works, do you know why ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.