Purpose
This article describes a solution to implement WAN Optimization over IPSec together with UTM features
Details about WAN Optimization can be found in the FortiGate WAN Optimization,
Web Cache and Web Proxy
Scope
FortiOS 4.0MR1 and above
Diagram
This case study is based on the following network scenario :
The link between the VDOMs is an inter-VDOM link (Called IVL on the diagram)
Expectations, Requirements
Note : ff firewall traffic shaping is required, the WAN Optimization rules must be set to client/server (active-passive) and transparent mode
Configuration
Fortigate 1 (client side, called Remote_FGT1) CLI configuration (only relevant parts display)
GLOBAL SETTINGS
VDOM "LAN"
VDOM "INTERNET"
Fortigate 2 (server side) CLI configuration (only relevant parts display)
Verification
Troubleshooting
Verify the routing tables in each VDOM on Fortigate 1 - - the entries to the remote subnet must be present
LAN VDOM :
Remote_FGT1 (LAN) # get router info routing-table all
INTERNET VDOM :
Remote_FGT1 (Internet) # get router info routing-table all
Verify the routing table on Fortigate 2 - the entry to the remote subnet must be present
Central_FGT2 # get router info routing-table all
Verify if the VPN tunnels are up. Can be done from the GUI or the CLI using the command 'diagnose vpn tunnel list'
Example from the GUI :
Verify if the WANOpt tunnel(s) is (are) up (CLI command from the global mode) :
Remote_FGT1 (global) # diagnose test application wad 26
If the HTTP traffic is not flowing between the client and the server, use also the advance diagnose commands :
- the diagnose commands "debug flow" and "sniffer packet" described in the related article Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table.
- the diagnose command "debug application wad -1". An example is provided below while the tunnel between the 2 peers is not up (wrong IP address)
wad_app_eng_tunnel_port_connect(727) peer-port=0x9271c90 gw=172.31.225.161
wad_app_eng_tunnel_port_connect(736) no tunnel yet for ses_ctx=0x92800b0. ret =1 sock 18 close
This article describes a solution to implement WAN Optimization over IPSec together with UTM features
Details about WAN Optimization can be found in the FortiGate WAN Optimization,
Web Cache and Web Proxy
Scope
FortiOS 4.0MR1 and above
Diagram
This case study is based on the following network scenario :
The link between the VDOMs is an inter-VDOM link (Called IVL on the diagram)
Expectations, Requirements
- The traffic from the client to the central site (internal server side) must be encrypted, and the TCP traffic optimized.
- The traffic from the client to the Internet or the central site must be inspected. This example proposes a simple URL filtering rule to block access to http://eicar.org
- Source IP addresses from the client or the server should not be modified (no NAT, WANOpt in Transparent mode)
- The management VDOM is to the 'INTERNET' VDOM on the FortiGate called Remote_FGT1
- In the solution presented, the client side is based on a FortiGate with multiple VDOMs. The VDOM 'LAN' is used to perform content inspection, and the VDOM 'INTERNET' is used to control the Internet access, the IPSec tunnel and the WAN Optimization to the central site.
Note : ff firewall traffic shaping is required, the WAN Optimization rules must be set to client/server (active-passive) and transparent mode
Configuration
Fortigate 1 (client side, called Remote_FGT1) CLI configuration (only relevant parts display)
GLOBAL SETTINGS
| config system global set hostname "Remote_FGT1" set management-vdom "Internet" end config system vdom-link edit "Lan2INet" next end config system interface edit "port14" set vdom "Internet" set ip 172.31.224.178 255.255.254.0 set allowaccess ping https ssh http telnet set type physical next edit "port16" set vdom "LAN" set ip 10.160.0.178 255.255.254.0 set allowaccess ping https ssh http telnet set type physical next edit "Lan2INet0" set vdom "LAN" set ip 192.168.1.1 255.255.255.0 set type vdom-link next edit "Lan2INet1" set vdom "Internet" set ip 192.168.1.2 255.255.255.0 set type vdom-link next end |
VDOM "LAN"
| config webfilter urlfilter edit 1 config entries edit "eicar.org" set action block next end set name "no_eicar" next end config firewall profile edit "web" config log set log-web-url enable end set http urlfilter set https urlfilter set weburlfiltertable 1 end config firewall policy edit 1 set srcintf "port16" set dstintf "Lan2INet0" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set profile-status enable set profile "web" next edit 2 set srcintf "Lan2INet0" set dstintf "port16" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end config router static edit 1 set device "Lan2INet0" set gateway 192.168.1.2 set weight 50 next end |
VDOM "INTERNET"
| config firewall address edit "10.167" set subnet 10.167.0.0 255.255.0.0 next edit "10.160" set subnet 10.160.0.0 255.255.0.0 next end config vpn ipsec phase1-interface edit "to_Central_FGT2" set interface "port14" set local-gw 172.31.224.178 set proposal 3des-sha1 aes128-sha1 set remote-gw 172.31.225.160 set psksecret ENC R2hEH1SzcPJ9R7SIijMcYIy9I89Fm8LRDwYdc5D7XRLiV297lj6OuenHPx8anN4o9EGKJPRha0AcXEWopZi50vM3QD/8z/i1tZS75j54NyVqb8Bt next end config vpn ipsec phase2-interface edit "To_Central_fgt2" set phase1name "to_Central_FGT2" set proposal 3des-sha1 aes128-sha1 set dst-subnet 10.167.0.0 255.255.0.0 set src-subnet 10.160.0.0 255.255.0.0 next end config firewall policy edit 1 set srcintf "Lan2INet1" set dstintf "port14" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 2 set srcintf "Lan2INet1" set dstintf "to_Central_FGT2" set srcaddr "10.160" set dstaddr "10.167" set action accept set schedule "always" set service "ANY" next edit 3 set srcintf "to_Central_FGT2" set dstintf "Lan2INet1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end config wanopt peer edit "Central_FGT2" set ip 172.31.225.160 next end config wanopt rule edit 1 set src-ip 10.160.0.0-10.160.255.255 set dst-ip 10.167.0.0-10.167.255.255 set port 1-65535 set proto tcp set peer "Central_FGT2" next end config router static edit 1 set device "port14" set gateway 172.31.225.254 set weight 50 next edit 2 set device "Lan2INet1" set dst 10.160.0.0 255.255.0.0 set gateway 192.168.1.1 set weight 50 next edit 3 set device "to_Central_FGT2" set dst 10.167.0.0 255.255.0.0 set weight 50 next end |
Fortigate 2 (server side) CLI configuration (only relevant parts display)
| config firewall address edit "10.167" set subnet 10.167.0.0 255.255.0.0 next edit "10.160" set subnet 10.160.0.0 255.255.0.0 next end config vpn ipsec phase1-interface edit "To_remote_FGT1" set interface "switch" set proposal 3des-sha1 aes128-sha1 set remote-gw 172.31.224.178 set psksecret ENC 5Uv6OXDPunbpcId2hQ/aBmB7wU4smkMZmwL/UeY1nZYUedc87qIxUfunh5f9T+6dQyY7KwPObtigQ0yafo2z/UOz9FI0M8zcBg20chgydtHmlwPW next end config vpn ipsec phase2-interface edit "To_Remote_FGT1" set phase1name "To_remote_FGT1" set proposal 3des-sha1 aes128-sha1 set dst-subnet 10.160.0.0 255.255.0.0 set src-subnet 10.167.0.0 255.255.0.0 next end config firewall policy edit 3 set srcintf "port16" set dstintf "To_remote_FGT1" set srcaddr "10.167" set dstaddr "10.160" set action accept set schedule "always" set service "ANY" next edit 4 set srcintf "To_remote_FGT1" set dstintf "port16" set srcaddr "10.160" set dstaddr "10.167" set action accept set schedule "always" set service "ANY" next edit 5 set srcintf "port16" set dstintf "switch" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next end config wanopt settings set host-id "Central_FGT2" end config wanopt peer edit "Remote_FGT1" set ip 172.31.224.178 next end config wanopt rule edit 1 set src-ip 10.167.0.0-10.167.255.255 set dst-ip 10.160.0.0-10.160.255.255 set port 1-65535 set proto tcp set peer "Remote_FGT1" next end config router static edit 1 set device "switch" set gateway 172.31.225.254 next edit 2 set device "To_remote_FGT1" set dst 10.160.0.0 255.255.0.0 next end |
Verification
- To verify the connectivity from the client to the server or to the Internet, establish TCP sessions (Telnet, HTTP).
- The Wan Optimization statistics can be monitored from the GUI (Web Based Manager), at WanOpt. --> Monitor :
- To verify if the content inspection is effective, access to http://eicar.com or http://eicar.org from the client. The page should be blocked and the browser will display "The URL you requested has been blocked. URL = eicar.org/"
Troubleshooting
Verify the routing tables in each VDOM on Fortigate 1 - - the entries to the remote subnet must be present
LAN VDOM :
Remote_FGT1 (LAN) # get router info routing-table all
| S* 0.0.0.0/0 [10/0] via 192.168.1.2, Lan2INet0, [0/50] C 10.160.0.0/23 is directly connected, port16 C 192.168.1.0/24 is directly connected, Lan2INet0 C 192.168.1.1/32 is directly connected, Lan2INet0 |
INTERNET VDOM :
Remote_FGT1 (Internet) # get router info routing-table all
| S* 0.0.0.0/0 [10/0] via 172.31.225.254, port14, [0/50] S 10.160.0.0/16 [10/0] via 192.168.1.1, Lan2INet1, [0/50] S 10.167.0.0/16 [10/0] is directly connected, to_Central_FGT2, [0/50] C 172.31.224.0/23 is directly connected, port14 C 192.168.1.0/24 is directly connected, Lan2INet1 C 192.168.1.2/32 is directly connected, Lan2INet1 |
Verify the routing table on Fortigate 2 - the entry to the remote subnet must be present
Central_FGT2 # get router info routing-table all
| S* 0.0.0.0/0 [10/0] via 172.31.225.254, switch S 10.160.0.0/16 [10/0] is directly connected, To_remote_FGT1 C 10.167.0.0/23 is directly connected, port16 C 172.31.224.0/23 is directly connected, switch |
Verify if the VPN tunnels are up. Can be done from the GUI or the CLI using the command 'diagnose vpn tunnel list'
Example from the GUI :
Verify if the WANOpt tunnel(s) is (are) up (CLI command from the global mode) :
Remote_FGT1 (global) # diagnose test application wad 26
| peer name=Central_FGT2 ip=172.31.225.160 vd=3 version=1 tunnels(active/connecting/failover)=10/0/0 sessions=0 n_retries=0 version_valid=true total peers: 1 |
If the HTTP traffic is not flowing between the client and the server, use also the advance diagnose commands :
- the diagnose commands "debug flow" and "sniffer packet" described in the related article Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table.
- the diagnose command "debug application wad -1". An example is provided below while the tunnel between the 2 peers is not up (wrong IP address)
wad_app_eng_tunnel_port_connect(727) peer-port=0x9271c90 gw=172.31.225.161
wad_app_eng_tunnel_port_connect(736) no tunnel yet for ses_ctx=0x92800b0. ret =1 sock 18 close
Related Articles
