Description | This article explains how FortiOS enables ADVPN Shortcut Tear-down controller by dynamic IPSec Phase2 selector. |
Scope | FortiGate |
Solution |
Background: In some implementations aimed at PCI DSS compliance, users must have the capability to automatically terminate an IPsec tunnel (both phase 1 and 2) if there is no traffic passing through the tunnel within a specified time interval. An illustrative use case example at the following link:
Traditionally, in an ADVPN Hub-Spoke configuration, a BGP neighbor relationship is established between the Hub and the Spoke, rather than directly between Spokes. Routes are exchanged using the route-reflector feature on the Hub. A practical demonstration of utilizing a route reflector in a typical ADVPN topology is available here: Technical Tip: ADVPN with BGP as the routing protocol
It is possible to configure a direct BGP neighbor relationship between Spokes through a negotiated shortcut, but this approach comes with an issue. BGP keep-alive messages will prevent the negotiated shortcut IPsec tunnel from expiring and being torn down. This issue also applies to SDWAN Performance SLA ICMP health checks over the negotiated shortcut.
Solution: In FortiOS versions prior to 7.4, the solution involved leveraging IKEv2 phase 2 selector narrowing as defined in RFC 5996. This approach created dynamic selectors for ADVPN shortcuts to segregate control traffic. As a result, data traffic counters were not incremented, enabling the phase 1 idle-timeout to function as intended with ADVPN shortcuts. IKE generates a dynamic selector for ADVPN shortcuts that matched ICMP health check packets used by SD-WAN.
To address this issue, FortiOS 7.4 extended this selector to encompass all SD-WAN control plane traffic, not limited to ICMP alone. The newly created single selector combines BGP and ICMP health checks. More details about this new feature are available at: Using a single IKE elector in ADVPN to match all SD-WAN control plane traffic
The dynamic selector is labeled as 'health-check,' as shown in the sample output below.
dia vpn tun lis list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke2_0 ver=2 serial=5 10.21.7.104:0->10.21.7.54:0 tun_id=10.10.1.3 tun_id6=::10.0.0.4 dst_mtu=1500 dpd-link =on weight=1 bound_if=3 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66232 options[102b8]=npu create_dev rgwy-chg frag-rf c role=primary accept_traffic=1 overlay_id=0
parent=spoke2 index=0 proxyid_num=3 child_num=0 refcnt=7 ilast=0 olast=0 ad=r/2 stat: rxp=1332209 txp=0 rxb=53288360 txb=0 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=3 natt: mode=none draft=0 interval=0 remote_port=0 fec: egress=0 ingress=0 proxyid=spoke2 proto=0 sa=1 ref=5 serial=2 adr health-check src: 0:10.10.1.2-10.10.1.2:0 dst: 0:10.10.1.3-10.10.1.3:0 SA: ref=3 options=a2602 type=00 soft=0 mtu=1438 expire=12169/0B replaywin=2048 seqno=1e8d1 esn=0 replaywin_lastseq=0000049f qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43185/43200 dec: spi=101c9f0a esp=aes key=16 93abe33f4946e82ede0bc5434a2a4a06 ah=sha1 key=20 98e285069f46f42b9770fa9ac1e7218343e033e3 enc: spi=39fc93d3 esp=aes key=16 38853cfad0ce87b1ea7464baf8b632a5 ah=sha1 key=20 f1e17796f0a9f3ad34be0ac96fdf0e507fe012aa dec:pkts/bytes=1182/72693, enc:pkts/bytes=125136/13042480 npu_flag=00 npu_rgwy=10.21.7.54 npu_lgwy=10.21.7.104 npu_selid=6 dec_npuid=0 enc_npuid=0 proxyid=spoke2 proto=0 sa=0 ref=1 serial=1 adr src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0
The new feature supports both IKEv2 and IKEv1. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.