PBR/NAT/Dual WAN/VPN

MathGaer · ‎02-11-2018

Good Morning,

I'm stumbling over a problem I cannot solve. Probably just missing something. I cannot get the second VPN up and running on my fortigate 50E in HA (Active/Standby) mode with 5.6.2

Here's the setting:

I do have two separate ISPs. Both give me static IP addresses I can and do use for NAT. Also, both PPP-Interfaces do have a static IP address. Both interfaces are up and reachable from the internet.

ISP1 is faster than ISP2 but ISP2 has a higher upload rate. So, I'd like to have my VPN running over the ISP2 and only as a backup over ISP1. But all the other traffic should go over ISP1.

Therefore I configured the PPP2-interface to have the received default route with a distance of 10, the other interface with a distance of 5.

This effectivly routes all traffic from internal addresses out of ISP1. I do have two addresses which are Policy-routed towards ISP2.

This all works very well. However, my VPN not really.

I configured two VPN-connections with the help of the VPN-wizard. One is configured to be on PPP1 (interface towards ISP1, also known as WAN1) and one on PPP2 (interface towards ISP2 also known as WAN2). Both are identical with the exception of the interface of course:

edit "Androids"
set type dynamic
set interface "wan2"
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set comments "VPN: Androids (Created by VPN wizard)"
set dhgrp 2
set wizard-type dialup-android
set psksecret ENC XXXX
next
edit "Android2"
set type dynamic
set interface "wan1"
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set comments "VPN: Android2 (Created by VPN wizard)"
set dhgrp 2
set wizard-type dialup-android
set psksecret ENC XXXX

If I now try to connect a VPN to the address of interface WAN1 everything works all right. VPN is up and running and traffic flows as expected.

If I try to connect to the address of interface WAN2 I get a timeout. A debug shows me that the firewall tries to send a packet back but cannot find the route for the address. (error 101). Now, this is odd because there is a default route pointing towards ISP1 over interface WAN1. And I know that this provider does allow ISP2-addresses to flow through it's network. Also, a traceroute with the option of the source address set to be the IP address of interface WAN2 does lead to the same result "no route to network". But that should actually go out interface WAN2, should'nt it?

I tried to set up a policy route (source-Interface WAN2, source-add IP-wan2, dest any, outgoing WAN2) but that did not help.

What am I doing wrong here?

I do not want to change the default routes because that would create too much overhead in routing (I do not explain other internal settings here)...

Mathias

Marco · ‎02-26-2018

Hi Mathias

I think you have to set the distance to the same value (wan1 and wan2: 10) and use different values for the priority (wan1: 10, wan2: 20).

http://cookbook.fortinet.com/redundant-internet-basic-failover-56/

Under Advanced Options, set the Priority to a low number (in this example, 5). The route with a smaller value will have a higher priority. This route will be preferred over the route you will configure for your secondary backup ISP.

Marco

MathGaer · ‎02-26-2018

Hi

thank you for that idea.

Unfortunately it does not work. Result is always:

ike 0:Androids:375045: could not send IKE
Packet(ident_r1send):213.188.106.86:500->49.195.122.59:2191, len=188:
error 101:Network is unreachable

When I change the priorities of the static routes (or the AD) from one
wan to the other, the tunnel changes too, then the above error is on the
other side.

Oh well...

It really looks like I have to take the pain and reverse ALL routing
decisions... That does mean a lot of PFR's to be configured...

Mathias

On 27.02.2018 07:30, Marco Widmer via Firewall: wrote:
>
> Hi Mathias
>
> I think you have to set the distance to the same value (wan1 and wan2:
> 10) and use different values for the priority (wan1: 10, wan2: 20).
>
> http://cookbook.fortinet.com/redundant-internet-basic-failover-56/
>
> /Under *Advanced Options*, set the *Priority* to a low number (in this
> example, *5*). The route with a smaller value will have a higher
> priority. This route will be preferred over the route you will
> configure for your secondary backup ISP./
>
>
>
> Marco
>
>
> -----End Original Message-----

--
Sachverständigenbüro Prof. Pausch & Partner
Dipl-Ing. Mathias Gärtner
CCIE #11220 (emeritus)
von der Industrie- und Handelskammer öffentlich bestellter und
vereidigter Sachverständiger für Systeme und Anwendungen der
Informationstechnologie für den Bereich Netzwerktechnik
Heinheimer Strasse 38
D-64289 Darmstadt
Tel: +49-6151/97 12 640
Fax: +49-6151/97 12 641
USt.-ID: DE212108421

MichaelBazy · ‎02-28-2018

I really looks like you configure distances and not priorities. Equal distances and different priorities are precisely configured for that kind of use case.

Can you please share your settings for wan1/wan2? As well as sd-wan... Just want to check.

Last idea : did you implement RPF in strict mode ?

MathGaer · ‎02-28-2018

Hi,

I tried both! And yes, one should think so but eitehr I did something
wrong (very good chance for that) or the system did not read it's
manual... Currently the settings are:

    edit "wan1"
        set vdom "root"
        set mode pppoe
        set distance 10
        set allowaccess ping
        set type physical
        set alias "Outside-QSC"
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode pppoe
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint XXXX::/48
            set autoconf enable
        end
        set username "XXXXX"
        set password ENC XXXX
        set dns-server-override disable
    next

edit "wan2"
        set vdom "root"
        set mode pppoe
        set distance 10
        set allowaccess
ping

        set type
physical

        set alias
"Outside-HSE"

        set role
wan

        set snmp-index
2

        config
ipv6

            set ip6-mode
pppoe

            set ip6-allowaccess
ping

            set dhcp6-prefix-delegation
enable

            set dhcp6-prefix-hint XXXX


            set autoconf
enable


end

        set username
"XXXX"

        set password ENC XXXXX
        set dns-server-override
disable


next

end

config router static
    edit 1 <- some internal network over the Tunnel
        set dst XXXX 255.255.255.0
        set device "Bangor2"
    next
    edit 2 <- some internal network over the Tunnel
        set dst XXXX 255.255.255.0
        set device "Bangor2"
    next
    edit 3
        set gateway A.B.C.D <- GW address for ISP behind WAN1, verified
by the received default GW on PPPoE
        set priority 5
        set device "wan1"
    next
    edit 4
        set gateway D.E.F.G <- GW address for ISP behind WAN2, verified
by the received default GW on PPPoE
        set priority 10
        set device "wan2"
    next
end

On 01.03.2018 08:17, Michael Bazy via Firewall: wrote:
>
> I really looks like you configure distances and not priorities. Equal
> distances and different priorities are precisely configured for that
> kind of use case.
>
> Can you please share your settings for wan1/wan2? As well as sd-wan...
> Just want to check.
>
> Last idea : did you implement RPF in strict mode ?
>
>
> -----End Original Message-----

--
Sachverständigenbüro Prof. Pausch & Partner
Dipl-Ing. Mathias Gärtner
CCIE #11220 (emeritus)
von der Industrie- und Handelskammer öffentlich bestellter und
vereidigter Sachverständiger für Systeme und Anwendungen der
Informationstechnologie für den Bereich Netzwerktechnik
Heinheimer Strasse 38
D-64289 Darmstadt
Tel: +49-6151/97 12 640
Fax: +49-6151/97 12 641
USt.-ID: DE212108421

MathGaer · ‎02-28-2018

Sorry,

didn't answer the question.

1. I do not use SD WAN

2. I use RPF in non strict mode (default) and asymmetric routing enabled

Mathias

On 01.03.2018 08:17, Michael Bazy via Firewall: wrote:
>
> I really looks like you configure distances and not priorities. Equal
> distances and different priorities are precisely configured for that
> kind of use case.
>
> Can you please share your settings for wan1/wan2? As well as sd-wan...
> Just want to check.
>
> Last idea : did you implement RPF in strict mode ?
>
>
> -----End Original Message-----

--
Sachverständigenbüro Prof. Pausch & Partner
Dipl-Ing. Mathias Gärtner
CCIE #11220 (emeritus)
von der Industrie- und Handelskammer öffentlich bestellter und
vereidigter Sachverständiger für Systeme und Anwendungen der
Informationstechnologie für den Bereich Netzwerktechnik
Heinheimer Strasse 38
D-64289 Darmstadt
Tel: +49-6151/97 12 640
Fax: +49-6151/97 12 641
USt.-ID: DE212108421

Marco · ‎02-28-2018

Hi Mathias

looks good so far. Please verify if you're able to ping both WAN-IP's from an external site. Do you receive an answer from both ip addresses?

Marco

MathGaer · ‎02-28-2018

Yes, can confirm that.

Both external IPs are reachable and accessible. THIS is not the problem.

That is the problem I'm having. In theory it should work but the
firewall always give me error 101 when trying to establish a VPN
connection to one of the specific interfaces.

If I reverse the priority (or AD) settings of the default route, the VPN
problem moves. That means the general VPN setting is correct.

Mathias

On 01.03.2018 09:49, Marco Widmer via Firewall: wrote:
>
> Hi Mathias
>
> looks good so far. Please verify if you're able to ping both WAN-IP's
> from an external site. Do you receive an answer from both ip addresses?
>
> Marco
>
>
> -----End Original Message-----

--
Sachverständigenbüro Prof. Pausch & Partner
Dipl-Ing. Mathias Gärtner
CCIE #11220 (emeritus)
von der Industrie- und Handelskammer öffentlich bestellter und
vereidigter Sachverständiger für Systeme und Anwendungen der
Informationstechnologie für den Bereich Netzwerktechnik
Heinheimer Strasse 38
D-64289 Darmstadt
Tel: +49-6151/97 12 640
Fax: +49-6151/97 12 641
USt.-ID: DE212108421