Technical Tip: WAN Optimization over redundant IPsec tunnels
Description
This article describes the steps to configure FortiGate WAN Optimization in a redundant WAN scenario using two IPSec tunnels.
It includes the network diagram, requirements, and configuration of all FortiGate units. It can also apply to any other redundant WAN architecture without IPSec tunnel. This setup is based on Active/passive WAN optimization using authentication group.
It includes the network diagram, requirements, and configuration of all FortiGate units. It can also apply to any other redundant WAN architecture without IPSec tunnel. This setup is based on Active/passive WAN optimization using authentication group.
Solution
The following network diagram illustrates this example and how to setup WAN Optimization over redundant IPSec tunnels.
Configuration CLI (only relevant parts)
FGTClient VPN IPSEC config
config vpn ipsec phase1-interface
edit "Secondary-p1"
set interface "wan1"
set proposal aes256-sha1
set remote-gw 172.31.17.37
set psksecret ENC ...
next
edit "Primary-p1"
set interface "wan2"
set proposal aes256-sha1
set remote-gw 172.31.193.37
set psksecret ENC ...
next
end
config vpn ipsec phase2-interface
edit "Secondary-p2"
set auto-negotiate enable
set phase1name "Secondary-p1"
set proposal aes256-sha1
next
edit "Primary-p2"
set auto-negotiate enable
set phase1name "Primary-p1"
set proposal aes256-sha1
next
end
FGTClient zones : VPN interfaces and LAN interfaces are put into zones
config system zone
edit "VPN"
set interface "Primary-p1" "Secondary-p1"
next
edit "LAN"
set interface "lan"
next
end
FGTClient routing config
config router static
edit 1
set device "Primary-p1"
set dst 10.112.0.0 255.255.252.0
next
edit 2
set device "Secondary-p1"
set distance 20
set dst 10.112.0.0 255.255.252.0
next
end
FGTClient WANOPT config
config wanopt settings
set host-id "client"
end
config wanopt auth-group
edit "wanopt-auth"
set auth-method psk
set psk ENC …
next
end
config wanopt profile
edit "wanopt-profile"
set auth-group "wanopt-auth"
config http
set status enable
end
config cifs
set status enable
end
config ftp
set status enable
end
config tcp
set status enable
set port 22
end
end
FGTClient Firewall policy
config firewall policy
edit 1
set srcintf "LAN"
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set wanopt enable
set comments "WAN OPT to Server"
set wanopt-profile "wanopt-profile"
next
FGTServer VPN IPSEC config
config vpn ipsec phase1-interface
edit "Secondary-p1"
set interface "port1"
set proposal aes256-sha1
set remote-gw 172.31.16.178
set psksecret ENC …
next
edit "Primary-p1"
set interface "port3"
set proposal aes256-sha1
set remote-gw 172.31.192.178
set psksecret ENC …
next
end
config vpn ipsec phase2-interface
edit "Secondary-p2"
set auto-negotiate enable
set phase1name "Secondary-p1"
set proposal aes256-sha1
next
edit "Primary-p2"
set auto-negotiate enable
set phase1name "Primary-p1"
set proposal aes256-sha1
next
end
FGTServer zones : VPN interfaces and LAN interfaces are put into zones
config system zone
edit "VPN"
set interface "Primary-p1" "Secondary-p1"
next
edit "LAN"
set interface "port5"
next
end
FGTServer routing config
config router static
edit 1
set device "Primary-p1"
set dst 10.156.0.0 255.255.252.0
next
edit 2
set device "Secondary-p1"
set distance 20
set dst 10.156.0.0 255.255.252.0
next
end
Configuration CLI (only relevant parts)
FGTClient VPN IPSEC config
config vpn ipsec phase1-interface
edit "Secondary-p1"
set interface "wan1"
set proposal aes256-sha1
set remote-gw 172.31.17.37
set psksecret ENC ...
next
edit "Primary-p1"
set interface "wan2"
set proposal aes256-sha1
set remote-gw 172.31.193.37
set psksecret ENC ...
next
end
config vpn ipsec phase2-interface
edit "Secondary-p2"
set auto-negotiate enable
set phase1name "Secondary-p1"
set proposal aes256-sha1
next
edit "Primary-p2"
set auto-negotiate enable
set phase1name "Primary-p1"
set proposal aes256-sha1
next
end
FGTClient zones : VPN interfaces and LAN interfaces are put into zones
config system zone
edit "VPN"
set interface "Primary-p1" "Secondary-p1"
next
edit "LAN"
set interface "lan"
next
end
FGTClient routing config
config router static
edit 1
set device "Primary-p1"
set dst 10.112.0.0 255.255.252.0
next
edit 2
set device "Secondary-p1"
set distance 20
set dst 10.112.0.0 255.255.252.0
next
end
FGTClient WANOPT config
config wanopt settings
set host-id "client"
end
config wanopt auth-group
edit "wanopt-auth"
set auth-method psk
set psk ENC …
next
end
config wanopt profile
edit "wanopt-profile"
set auth-group "wanopt-auth"
config http
set status enable
end
config cifs
set status enable
end
config ftp
set status enable
end
config tcp
set status enable
set port 22
end
end
FGTClient Firewall policy
config firewall policy
edit 1
set srcintf "LAN"
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set wanopt enable
set comments "WAN OPT to Server"
set wanopt-profile "wanopt-profile"
next
FGTServer VPN IPSEC config
config vpn ipsec phase1-interface
edit "Secondary-p1"
set interface "port1"
set proposal aes256-sha1
set remote-gw 172.31.16.178
set psksecret ENC …
next
edit "Primary-p1"
set interface "port3"
set proposal aes256-sha1
set remote-gw 172.31.192.178
set psksecret ENC …
next
end
config vpn ipsec phase2-interface
edit "Secondary-p2"
set auto-negotiate enable
set phase1name "Secondary-p1"
set proposal aes256-sha1
next
edit "Primary-p2"
set auto-negotiate enable
set phase1name "Primary-p1"
set proposal aes256-sha1
next
end
FGTServer zones : VPN interfaces and LAN interfaces are put into zones
config system zone
edit "VPN"
set interface "Primary-p1" "Secondary-p1"
next
edit "LAN"
set interface "port5"
next
end
FGTServer routing config
config router static
edit 1
set device "Primary-p1"
set dst 10.156.0.0 255.255.252.0
next
edit 2
set device "Secondary-p1"
set distance 20
set dst 10.156.0.0 255.255.252.0
next
end
FGTServer WANOPT config
config wanopt settings
set host-id "client"
end
config wanopt auth-group
edit "wanopt-auth"
set auth-method psk
set psk ENC ...
next
end
FGTServer WANOPT tunnel policy
config firewall policy
edit 5
set srcintf "wanopt"
set dstintf "LAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
FGTServer : WAN Optimization passive policy to allow optimized traffic from client side toward server side
config firewall policy
edit 3
set srcintf "VPN"
set dstintf "LAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set wanopt enable
set wanopt-detection passive
next
end
Verification of Configuration and troubleshooting
FGTClient: Verify route toward server subnet (10.112.0.0/22)
FGTClient # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area> - selected route, * - FIB route, p - stale infoS *> 0.0.0.0/0 [10/0] via 172.31.19.254, wan1S 10.112.0.0/22 [20/0] is directly connected, Secondary-p1S *> 10.112.0.0/22 [10/0] is directly connected, Primary-p1C *> 10.156.0.0/22 is directly connected, lanC *> 50.10.10.0/24 is directly connected, dmzC *> 172.31.16.0/22 is directly connected, wan1C *> 172.31.192.0/22 is directly connected, wan2
FGTServer: Verify route toward client subnet (10.156.0.0/22)
FGTServer # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area> - selected route, * - FIB route, p - stale infoS *> 0.0.0.0/0 [10/0] via 172.31.19.254, port1C *> 10.112.0.0/22 is directly connected, port5S 10.156.0.0/22 [20/0] is directly connected, Secondary-p1S *> 10.156.0.0/22 [10/0] is directly connected, Primary-p1C *> 172.31.16.0/22 is directly connected, port1C *> 172.31.192.0/22 is directly connected, port3
WAN optimization verification (GUI interface is available under the version 5.0)
• Send HTTP, SSH, FTP traffic from the client toward the server.
• The Wan Optimization statistics can be monitored from the GUI (Web Based Manager), at WanOpt. --> Monitor :
GUI interface WAN Optimization
CLI verification :
FGTClient # diagnose test application wad 26
name: server, vd: 0, ip: 0.0.0.0 ref: 4 type:autotraffic:client: LAN in:55124, LAN out:316649, WAN in:215482, WAN out:16000gateway: LAN in:0, LAN out:0, WAN in:0, WAN out:0client 0x2a986a6078, server 0x2a986a6098total peers: 1, manual peers: 0 auto peers: 1FGTServer # diagnose test application wad 26name: client, vd: 0, ip: 0.0.0.0 ref: 4 type:autotraffic:client: LAN in:0, LAN out:0, WAN in:0, WAN out:0gateway: LAN in:321405, LAN out:55124, WAN in:16000, WAN out:221494client 0x2a98aa7078, server 0x2a98aa7098total peers: 1, manual peers: 0 auto peers: 1
Bring down Primary IPSEC tunnel, verify routing table and WAN optimization
• Routing table :
FGTClient # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area> - selected route, * - FIB route, p - stale infoS *> 0.0.0.0/0 [10/0] via 172.31.19.254, wan1S *> 10.112.0.0/22 [20/0] is directly connected, Secondary-p1S 10.112.0.0/22 [10/0] is directly connected, Primary-p1 inactiveC *> 10.156.0.0/22 is directly connected, lanC *> 50.10.10.0/24 is directly connected, dmzC *> 172.31.16.0/22 is directly connected, wan1
FGTServer # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 172.31.19.254, port1C *> 10.112.0.0/22 is directly connected, port5S *> 10.156.0.0/22 [20/0] is directly connected, Secondary-p1S 10.156.0.0/22 [10/0] is directly connected, Primary-p1 inactiveC *> 172.31.16.0/22 is directly connected, port1C *> 172.31.192.0/22 is directly connected, port3
• WAN Optimization (GUI interface is available under the version 5.0):
GUI interface WAN Optimization
FGTClient # diagnose test application wad 26
name: server, vd: 0, ip: 0.0.0.0 ref: 7 type:autotraffic:client: LAN in:76762, LAN out:622216, WAN in:518994, WAN out:25152gateway: LAN in:0, LAN out:0, WAN in:0, WAN out:0client 0x2a986a6078, server 0x2a986a6098total peers: 1, manual peers: 0 auto peers: 1FGTServer # diagnose test application wad 26name: client, vd: 0, ip: 0.0.0.0 ref: 7 type:autotraffic:client: LAN in:0, LAN out:0, WAN in:0, WAN out:0gateway: LAN in:620824, LAN out:76762, WAN in:25152, WAN out:518022client 0x2a98aa7078, server 0x2a98aa7098total peers: 1, manual peers: 0 auto peers: 1
Troubleshooting commands
Use the WAD command:
diagnose test application wad <test level>
Example :
23: display all protocols stats24: flush all protocols stats26: display all peers99 : restart WAD
Session diagnostics :
diagnose wad session list
Protocol statistics :
diagnose wad stats list
Tunnel diagnostics :
diagnose wad tunnel list
Related Articles
Case study : FortiGate WAN Optimization over IPSec and content inspection in multiple VDOMs
Technical Note : OSPF route redundancy over 2 VPN IPSec tunnels