Description
This article describes an Automation Stitch example configuration to force VPN renegotiation after Link-Monitor failure, where VPN IPsec is a single interface and not part of SD-WAN.
Scope
VPN IPSec, Link Monitor, FortiGate 7.0.x 7.2.x 7.4.x.
Solution
Requirements.
- VPN Site-to-site Primary and Backup configured, preferably with IP address on IPsec interfaces.
- Source IP for Link-monitor, which can be any local IP.
- Destination IP always available, which can be a remote IPsec IP.
Limitations.
- No SD-WAN configurations for VPN tunnels.
- IPsec VPN must be site-to-site. Dial-up is not supported.
- The log ID may vary depending on firmware version.
Configurations.
config vpn ipsec phase1-interface
edit "VPN-Primary"
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 2
set remote-gw 10.1.1.2
set psksecret ENC **removed***
next
end
config vpn ipsec phase2-interface
edit "VPN-Primary"
set phase1name "VPN-Primary"
set proposal aes256-sha256
set dhgrp 2
set proposal aes256-sha256
set auto-negotiate enable
next
end
config system interface
edit "VPN-Primary"
set vdom "root"
set ip 10.254.254.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.254.254.2 255.255.255.252 <- The local and remote IPs must belong to the same broadcast domain to avoid static route configuration.
set interface "wan"
next
end
config system link-monitor
edit "VPN-Pri_Monitor"
set srcintf "VPN-Primary"
set server "10.254.254.2" <- Destination IP, cloud be remote IPsec interface.
set source-ip 192.168.100.1 <- Leave blank to use IPsec local IP or define any other internal IP.
set interval 1000 <- Ping every 1 second.
set failtime 15 <- 15 seconds threshold.
next
end
diagnose sys link-monitor status VPN-Pri_Monitor
Link Monitor: VPN-Pri_Monitor, Status: dead, Server num(1), HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Sun Aug 11 03:22:02 2024
Source interface: VPN-Primary (12)
Source IP: 192.168.100.1
Interval: 1000 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 10.254.254.2(10.254.254.2)
Source IP(192.168.100.1)set
Route: 192.168.100.1->10.254.254.2/32, gwy(10.1.1.2)
protocol: ping, state: dead
Packet lost: 100.000%
Number of out-of-sequence packets: 0set
Recovery times(0/5) Fail Times(2/15)set
Packet sent: 2711, received: 1151, Sequence(sent/rcvd/exp): 2712/1165/1166
Expected log events for configuring the automation trigger, depending on the FortiOS version :
7.0.x date=2024-08-11 time=02:20:31 eventtime=1723360831389957909 tz="-0500" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="VPN-Pri_Monitor" interface="VPN-Primary" probeproto="ping" msg="Link Monitor changed state from alive to dead, protocol: ping."
7.2.x or 7.4.x date=2024-08-11 time=09:11:27 eventtime=1723392687691783869 tz="-0700" logid="0100022932" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status warning" name="VPN-Pri_Monitor" interface="VPN-Primary" probeproto="ping" msg="Link Monitor changed state from alive to dead, protocol: ping."
config system automation-trigger
edit "VPN-PRI_MonitorDown"
set event-type event-log
set logid 22922 <- [22922 FortiOS 7.0.x] or [22932 FortiOS 7.2.x, 7.4.x].
config fields
edit 1
set name "interface"
set value "VPN-Primary"
next
edit 2
set name "msg"
set value "Link Monitor changed state from alive to dead, protocol: ping."
next
end
next
end
config system automation-action
edit "Renegotiate_VPN-Primary"
set action-type cli-script
set script "diagnose vpn ike gateway clear name VPN-Primary"
set accprofile "super_admin"
next
end
config system automation-stitch
edit "Renegotiate_VPN-Primary"
set trigger "VPN-PRI_MonitorDown"
config actions
edit 1
set action "Renegotiate_VPN-Primary"
set delay 10
set required enable
next
end
next
end
Results.
Navigate to Security Fabric -> Automation -> Stitch. Note the trigger count increasing to verify success.
