Help
Customer Service
Customer Service Information and Announcements
anoushiravan
Staff
Staff

Created on ‎01-29-2023 09:41 PM

Article Id 244163

Technical Tip: How to encrypt the traffics between peers in HA FGSP

Description In HA FGSP, the sessions are getting sync between HA peers, this article explains how to encrypt the traffics between peers in HA FGSP.
Scope FortiGate
Solution

The 'encryption' feature in the HA cluster setting is used to encrypt the sessions between FGSP peers.

 

In the following example, two FortiGates (one Master/ one Slave) are configured as HA FGSP members and the below configuration is valid for firmware version 7.2.x.

 

Note.

In the below example, the connection between peers is a layer 3 connection.

 

Configuration on Master.

 

- HA setting:

 

Master # config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-nat enable
    set standalone-config-sync enable
    set override disable
end

 

- The interface that is used for session sync via:

 

Master # config system interface
    edit "portA"
        set vdom "root"
        set ip 10.141.1.59 255.255.240.0
        set allowaccess ping https ssh http
        set type physical
    next
end

 

- Enable the peer IP, 'encryption' etc on peer:

 

Master # config system standalone-cluster
    set standalone-group-id 25
    set group-member-id 1
    set encryption enable
    config cluster-peer
        edit 1
        set peerip 10.141.1.60
        set ipsec-tunnel-sync enable
    next
end
end

 

- Configure a internet access policy:

 

Master # config firewall policy
    edit 1
        set name "Internet"
        set srcintf "port9"
        set dstintf "port25"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

 

- Routing-table on a Master:


Master # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

 

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, port25, [1/0]
C 10.108.0.0/20 is directly connected, port9
C 10.109.16.0/20 is directly connected, port25
C 10.141.0.0/20 is directly connected, portA

 

Configuration on Slave unit.

 

- HA setting:

 

Slave # config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-nat enable
    set standalone-config-sync enable
    set override disable
end

 

- The interface that is used for session sync via:

 

Slave # config system interface
    edit "portA"
        set vdom "root"
        set ip 10.141.1.60 255.255.240.0
        set allowaccess ping https ssh http
        set type physical
    next
end

 

- Enable the peer IP, 'encryption' etc on peer:

 

Slave # config system standalone-cluster
    set standalone-group-id 25
    set group-member-id 2
    set encryption enable
    config cluster-peer
        edit 1
            set peerip 10.141.1.59
            set ipsec-tunnel-sync enable
        next
    end
end

 

Result.

 

Pinging a public IP e.g 4.2.2.2 was used to show the result:

 

Master # di sniffer packet any "icmp" 4 0 l
interfaces=[any]
filters=[icmp]
2023-01-29 03:56:45.617633 port9 in 10.108.4.80 -> 4.2.2.2: icmp: echo request
2023-01-29 03:56:45.617647 port25 out 10.109.17.59 -> 4.2.2.2: icmp: echo request
2023-01-29 03:56:45.632091 port25 in 4.2.2.2 -> 10.109.17.59: icmp: echo reply
2023-01-29 03:56:45.632099 port9 out 4.2.2.2 -> 10.108.4.80: icmp: echo reply


Result on Master unit:

 

Master # di sys ha fgsp-zone
Local standalone-member-id: 1
FGSP peer_num = 1
peer[1]: standalone-member-id=2, IP=10.141.1.60, vd=root, prio=1

 

Note.

An automatic phase1 and phase2 (Peer IPs are the local and remote selectors) are created and IKE SA and IPsec SA is getting synced between the HA peers:

 

Master # di vpn ike gateway list

vd: root/0
name: _SESSYNC_1
version: 1
interface: portA 44
addr: 10.141.1.59:500 -> 10.141.1.60:500
tun_id: 10.141.1.60/::10.141.1.60
remote_location: 0.0.0.0
created: 450s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 2/2 established 2/2 time 0/0/0 ms

id/spi: 87 8ac756c088f5ceff/563b3f27368592a1
direction: initiator
status: established 450-450s ago = 0ms
proposal: aes128-sha256
key: 8dc6c723df084979-35d49519c1879f28
lifetime/rekey: 86400/85649
DPD sent/recv: 00000000/00000000

 

Master # di vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=_SESSYNC_1 ver=1 serial=2 10.141.1.59:0->10.141.1.60:0 tun_id=10.141.1.60 tun_id6=::10.141.1.60 dst_mtu=1500 dpd-link=on weight=1
bound_if=44 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=1665 txp=2617 rxb=16460 txb=273754
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=_SESSYNC_1 proto=0 sa=2 ref=4 serial=1 auto-negotiate
src: 0:10.141.1.59/255.255.255.255:0
dst: 0:10.141.1.60/255.255.255.255:0
SA: ref=5 options=18227 type=00 soft=0 mtu=1438 expire=42439/0B replaywin=2048
seqno=a38 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=069808f7 esp=aes key=16 79f022a524942147527630ecb2cb0f8a
ah=sha1 key=20 f55367b7ccbc0f3e0df8dc6a85b414ca3aa705db
enc: spi=ff9ccc42 esp=aes key=16 586d1b4dcec1e39f6ba79cccdf2b8e0f
ah=sha1 key=20 3c1e7618c6be1b0ebb31fa144435734a386274ff
dec:pkts/bytes=0/0, enc:pkts/bytes=5231/730794
npu_flag=01 npu_rgwy=10.141.1.60 npu_lgwy=10.141.1.59 npu_selid=2 dec_npuid=0 enc_npuid=2
SA: ref=4 options=18227 type=00 soft=0 mtu=1438 expire=42463/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000680 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=06980907 esp=aes key=16 6f0da272b49fca38b534fe20ee6891d9
ah=sha1 key=20 a949d021d5dd324e9e087214c32a668a8ba50d56
enc: spi=ff9ccc32 esp=aes key=16 d49d1867ac67980c841b58b35a78482e
ah=sha1 key=20 99e067d87a91a30ee22c491ea7648c1c2fbc8b78
dec:pkts/bytes=1666/16556, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=10.141.1.60 npu_lgwy=10.141.1.59 npu_selid=2 dec_npuid=2 enc_npuid=0
run_tally=0


Master # di sys session list

session info: proto=1 proto_state=00 duration=517 expire=30 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu synced f00
statistic(bytes/packets/allow_err): org=24780/413/1 reply=23760/396/1 tuples=2
tx speed(Bps/kbps): 47/0 rx speed(Bps/kbps): 45/0
orgin->sink: org pre->post, reply pre->post dev=38->19/19->38 gwy=10.109.31.254/10.108.4.80
hook=post dir=org act=snat 10.108.4.80:1->4.2.2.2:8(10.109.17.59:60417)
hook=pre dir=reply act=dnat 4.2.2.2:60417->10.109.17.59:0(10.108.4.80:1)
misc=0 policy_id=1 pol_uuid_idx=7473 auth_info=0 chk_client_info=0 vd=0
serial=00014b11 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=148/175, ipid=175/148, vlan=0x0000/0x0000
vlifid=175/148, vtag_in=0x0000/0x0000 in_npu=2/1, out_npu=2/1, fwd_en=0/0, qid=0/2
total session 1

 

Result on Slave unit:

 

Slave # di sys ha fgsp-zone
Local standalone-member-id: 2
FGSP peer_num = 1
peer[1]: standalone-member-id=1, IP=10.141.1.59, vd=root, prio=1


Slave # di vpn ike gateway list

vd: root/0
name: _SESSYNC_1
version: 1
interface: portA 44
addr: 10.141.1.60:500 -> 10.141.1.59:500
tun_id: 10.141.1.59/::10.141.1.59
remote_location: 0.0.0.0
created: 456s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 2/2 established 2/2 time 0/0/0 ms

id/spi: 531 8ac756c088f5ceff/563b3f27368592a1
direction: responder
status: established 456-456s ago = 0ms
proposal: aes128-sha256
key: 8dc6c723df084979-35d49519c1879f28
lifetime/rekey: 86400/85673
DPD sent/recv: 00000000/00000000

 

- The sessions synchronization traffic between peer IPs are encrypted.

 

Slave # di vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=_SESSYNC_1 ver=1 serial=2 10.141.1.60:0->10.141.1.59:0 tun_id=10.141.1.59 tun_id6=::10.141.1.59 dst_mtu=1500 dpd-link=on weight=1
bound_if=44 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=1665 txp=2462 rxb=16378 txb=237394
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=_SESSYNC_1 proto=0 sa=2 ref=4 serial=1 auto-negotiate
src: 0:10.141.1.60/255.255.255.255:0
dst: 0:10.141.1.59/255.255.255.255:0
SA: ref=5 options=18227 type=00 soft=0 mtu=1438 expire=42429/0B replaywin=2048
seqno=99d esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=ff9ccc32 esp=aes key=16 d49d1867ac67980c841b58b35a78482e
ah=sha1 key=20 99e067d87a91a30ee22c491ea7648c1c2fbc8b78
enc: spi=06980907 esp=aes key=16 6f0da272b49fca38b534fe20ee6891d9
ah=sha1 key=20 a949d021d5dd324e9e087214c32a668a8ba50d56
dec:pkts/bytes=0/0, enc:pkts/bytes=4921/649018
npu_flag=01 npu_rgwy=10.141.1.59 npu_lgwy=10.141.1.60 npu_selid=2 dec_npuid=0 enc_npuid=2
SA: ref=4 options=18227 type=00 soft=0 mtu=1438 expire=42456/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000680 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42928/43200
dec: spi=ff9ccc42 esp=aes key=16 586d1b4dcec1e39f6ba79cccdf2b8e0f
ah=sha1 key=20 3c1e7618c6be1b0ebb31fa144435734a386274ff
enc: spi=069808f7 esp=aes key=16 79f022a524942147527630ecb2cb0f8a
ah=sha1 key=20 f55367b7ccbc0f3e0df8dc6a85b414ca3aa705db
dec:pkts/bytes=1666/16474, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=10.141.1.59 npu_lgwy=10.141.1.60 npu_selid=2 dec_npuid=2 enc_npuid=0
run_tally=0

 

- The session has been synced:

 

Slave # di sys session list

session info: proto=1 proto_state=00 duration=511 expire=28 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00 syn_ses
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=38->19/19->38 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.108.4.80:1->4.2.2.2:8(10.109.17.59:60417)
hook=pre dir=reply act=dnat 4.2.2.2:60417->10.109.17.59:0(10.108.4.80:1)
misc=0 policy_id=1 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00014b11 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
total session 1

 

 

Related documents:
https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/109620/system-standalone-cluster
https://docs.fortinet.com/document/fortigate/6.4.7/cli-reference/108620/config-system-standalone-clu...
589
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.