Technical Tip: Automation Stitch SD-WAN VPN rekey after SLA failure

Description

This article describes an Automation Stitch example configuration to force VPN renegotiation after SLA failure in the SD-WAN environment. 

Scope

SD-WAN, VPN IPSec, FortiGate all OS.

Solution

Configurations.

config vpn ipsec phase1-interface

edit "VPN-PRI"

set interface "port1" 

set ike-version 2

set peertype any 

set net-device disable 

set proposal aes256-sha256 

set dhgrp 2 

set remote-gw 10.1.1.1 

set psksecret **removed***

next 

end

config vpn ipsec phase2-interface

edit "VPN-PRI"

set phase1name "VPN-PRI"

set proposal aes256-sha256

set dhgrp 2 

set proposal aes256-sha256 

set auto-negotiate enable

next 

end

config system interface

edit "VPN-PRI"

set vdom "root" 

set ip 10.254.254.2 255.255.255.255

set type tunnel 

set remote-ip 10.254.254.1 255.255.255.252 <----- The local and remote IPs in the same broadcast domain.

set interface "port1"

next 

end

config system sdwan

    set status enable

    config zone

    edit "VPN"

    next

    end 

    config members 

    edit 3

    set interface "VPN-PRI"

    set zone "VPN"

    next

    edit 4

   set interface "VPN-PRI"

   set zone "VPN"

next   

    end 

    config health-check 

edit "SLA01"

set server "192.168.100.1" <----- Remote IP always available.

set interval 1000

set failtime 10

set recoverytime 10

set members 4 3

next

end

end

Expected log events for configuring the automation trigger:

date=2024-08-11 time=21:13:05 eventtime=1723428785021493960 tz="-0500" logid="0100022921" type="event" subtype="system" level="critical" vd="root" logdesc="Routing information changed" name="SLA01" interface="VPN-PRI" status="down" msg="Static route on interface VPN-PRI may be removed by health-check SLA01. Route: (10.254.254.1->192.168.200.1 ping-down)"

config system automation-trigger

    edit "VPN-PRI_Down"

    set event-type event-log 

    set logid 22921

    config fields  

    edit 1

       set name "interface"

       set value "VPN-PRI"

    next

    edit 2

       set name "status"

       set value "down"

    next

    end

    next

    end

config system automation-action

    edit "Rekey_VPN-PRI"

    set action-type cli-script 

    set script "diagnose vpn ike gateway clear name VPN-PRI"

    set accprofile "super_admin"

    next 

end

config system automation-stitch

    edit "Renegotiate_VPN-PRI"

    set trigger "VPN-PRI_Down" 

    config actions

    edit 1

       set action "Rekey_VPN-PRI"

       set delay 10

       set required enable

    next

    end

    next

    end

Results: