- Confirm the aggregate link available under IPsec tunnels:
- Confirm this aggregate link is not available to the server as an interface for the Security Fabric connection.
- This behavior is expected and the tunnels part of the aggregate IPsec cannot be used as a fabric root. Alternatively, the same aggregate can be achieved by using SD-WAN.
- Create a new SD-WAN zone with the two required tunnels.
- Create an SD-WAN rule that will exhibit the behavior of an IPsec tunnel aggregate as shown below where the interface selection criteria must maximize bandwidth.
- Confirm that the interfaces created under SD-WAN which are acting like aggregate links can be used as fabric root interfaces.
Special note 7.4.8:
Starting from version 7.4.8, users must be able to select aggregate links as part of the security fabric interfaces connection in the GUI. However, the aggregate links still do not work for the security fabric connection.
Run the following debug commands:
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter port 8013
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 7777
In the debug commands, FortiGate blocks the traffic due to policy 0.
id=65308 trace_id=2342 func=print_pkt_detail line=5938 msg="vd-VDOM_1:0 received a packet(proto=6, 10.0.100.2:4469->10.0.15.4:8013) tun_id=10.0.15.1 from VPN_AGGREGATE. flag [S], seq 445012612, ack 0, win 14600"
id=65308 trace_id=2342 func=ipsec_spoofed4 line=245 msg="src ip 10.0.100.X match selector 0 range 0.0.0.0-255.255.255.255"
id=65308 trace_id=2342 func=init_ip_session_common line=6136 msg="allocate a new session-2ff6b056"
id=65308 trace_id=2342 func=iprope_dnat_check line=5474 msg="in-[VPN_AGGREGATE], out-[]"
id=65308 trace_id=2342 func=vf_ip_route_input_common line=2612 msg="find a route: flag=80000000 gw-10.0.15.1 via VDOM_1"
id=65308 trace_id=2342 func=iprope_in_check line=496 msg="in-[VPN_AGGREGATE], out-[], skb_flags-02000008, vid-0"
id=65308 trace_id=2685 func=__iprope_check line=2412 msg="gnum-10000e check result: ret-matched, act-accept, flag-00000001, flag2-00000000"
id=65308 trace_id=2342 func=__iprope_check line=2395 msg="gnum-10000e, check-ffffffffa002f5d0"
id=65308 trace_id=2342 func=__iprope_check_one_policy line=2365 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=2342 func=__iprope_check line=2412 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=2342 func=fw_local_in_handler line=611 msg="iprope_in_check() check failed on policy 0, drop"
FortiGate checks the administrative policies but there are no entry for the VPN aggregate interfaces.
diagnose firewall iprope list 10000e
The other VPNs have an entry for the security fabric port:
policy index=429
zone(1): 15-> zone(1): 0 <----- 15 is the interface index ID.
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
[6:0x0:0/(0,65535)->(8013,8013)] flags:0 helper:auto
To find the interface index ID run:
diagnose netlink interface list
Basically, there are no administrative policies in FortiGate for the VPN aggregate links through port 8013, meaning this interface will not work in a security fabric connection.
|
