Technical Tip: How to minimize service interruption when replacing a new single tunnel

jiyong · ‎09-05-2024

Description

This article describes how to minimize service interruption when deleting an existing tunnel and creating a new IPsec tunnel.

Scope

FortiGate.

Solution

Topology :

Stage 1. Create a new tunnel between the center and branch FortiGate:

config vpn ipsec phase1-interface

edit "vpn-1"

set interface "port7"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: vpn-1 (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 7.7.7.X
set psksecret ENC CBuMfyxSck3828GgE6eipSVfwJrfsqp1QbAIWouLjgp41GnNFKJzRMuczE3ehvindrXcub/BGTzwuTwg32VyGqkcbWi28tu/acUb4LgeLQw51GLios60XLVuv2Ji4qtGTo7UHJDY9Y66nbqm23OS6i8wOeK6A3S3GyIlNCindzu54FKd+9i/VGp12xZe7HDfJMdJRA==

set interface "port8"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: vpn-2 (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 8.8.8.X
set psksecret ENC VBySHLmPWmZIEc34tCRtGTGp+lKOwKy/oXpNWlmUtygj6p7BbjVaB17WOkYvDQAFe0tKSY/2LncydGTb385/Yd/dSfLTNT8MhUv3Y2GmeiWQYCjWXZHsPAR88NVzePIlMTOir3kzIyXaYZgL/vWJnIXR3xbRlSuNq1UJ8eu3q451G8T6cQXzb5IF3h59Z7xQqKZxOA==

config router static

edit 3

set device "vpn-1"
set comment "VPN: vpn-1 (Created by VPN wizard)"
set dstaddr "vpn-1_remote"

next
edit 7

set priority 2
set device "vpn-2"
set comment "VPN: vpn-2 (Created by VPN wizard)"
set dstaddr "vpn-2_remote"

Routing sets a lower priority and the same distance as the existing tunnel (vpn-1).
The newly created tunnel is in the DOWN state when viewed in VPN Monitor.

Step 2. Down the 'vpn-1' tunnel interface to divert traffic to 'vpn-2'.
When tunnel is switched, ping may 5-6 lost because of new tunnel negotiation.

Before 'vpn-1' tunnel interface down :

diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=vpn-1 ver=1 serial=a 7.7.7.1:0->7.7.7.254:0 nexthop=0.0.0.0 tun_id=7.7.7.254 tun_id6=::7.7.7.254 dst_mtu=1500 dpd-link=on weight=1
bound_if=10 real_if=10 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=371 txp=375 rxb=26748 txb=27084
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=vpn-1 proto=0 sa=1 ref=4 serial=1
src: 0:10.0.200.0-10.0.200.255:0
dst: 0:10.0.3.0-10.0.3.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42705/0B replaywin=2048
seqno=178 esn=0 replaywin_lastseq=00000174 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=b864d955 esp=aes key=16 e1633f2a9383562c0044d82c3ee0973b
ah=sha1 key=20 a19f5367cc8395ae64c1af2f73080a6b461e87e4
enc: spi=e64181a6 esp=aes key=16 131983020ef045b7a01775b6fe175226
ah=sha1 key=20 cc5d012af1d8314fb6a459fd1318090f3dfe7c87
dec:pkts/bytes=742/53496, enc:pkts/bytes=750/78196
npu_flag=00 npu_rgwy=7.7.7.254 npu_lgwy=7.7.7.1 npu_selid=8 dec_npuid=0 enc_npuid=0
run_tally=0
------------------------------------------------------
name=vpn-2 ver=1 serial=9 8.8.8.1:0->8.8.8.254:0 nexthop=0.0.0.0 tun_id=8.8.8.254 tun_id6=::8.8.8.254 dst_mtu=1500 dpd-link=on weight=1
bound_if=12 real_if=12 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=0 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=188 olast=188 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=vpn-2 proto=0 sa=0 ref=1 serial=1
src: 0:10.0.200.0-10.0.200.255:0
dst: 0:10.0.3.0-10.0.3.255:0
run_tally=0

proxyid_num=1 child_num=0 refcnt=3 ilast=276 olast=276 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=vpn-2 proto=0 sa=0 ref=1 serial=1
src: 0:10.0.200.0-10.0.200.255:0
dst: 0:10.0.3.0-10.0.3.255:0

After 'vpn-1' tunnel interface is down:

FortigateVM-1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=vpn-1 ver=1 serial=a 7.7.7.1:0->7.7.7.254:0 nexthop=0.0.0.0 tun_id=7.7.7.254 tun_id6=::7.7.7.254 dst_mtu=1500 dpd-link=off weight=1
bound_if=10 real_if=10 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=0 overlay_id=0

proxyid_num=1 child_num=0 refcnt=3 ilast=11 olast=14 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=vpn-1 proto=0 sa=0 ref=1 serial=1
src: 0:10.0.200.0-10.0.200.255:0
dst: 0:10.0.3.0-10.0.3.255:0
run_tally=0
------------------------------------------------------
name=vpn-2 ver=1 serial=9 8.8.8.1:0->8.8.8.254:0 nexthop=0.0.0.0 tun_id=8.8.8.254 tun_id6=::8.8.8.254 dst_mtu=1500 dpd-link=on weight=1
bound_if=12 real_if=12 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=19 txp=19 rxb=1452 txb=1452
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=vpn-2 proto=0 sa=1 ref=4 serial=1
src: 0:10.0.200.0-10.0.200.255:0
dst: 0:10.0.3.0-10.0.3.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42886/0B replaywin=2048
seqno=14 esn=0 replaywin_lastseq=00000014 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=b864d956 esp=aes key=16 09e9d747eb3b8120ac27b9a2bf935bbb
ah=sha1 key=20 fc502a2dd86822ffa966cce38d4fa53d0eee65f7
enc: spi=e64181a7 esp=aes key=16 eb375ae795af8d714556e80fd1e95fce
ah=sha1 key=20 22b0be415920353598b9055f6b9c5f403ca9f1ff
dec:pkts/bytes=38/2904, enc:pkts/bytes=38/4148
npu_flag=00 npu_rgwy=8.8.8.254 npu_lgwy=8.8.8.1 npu_selid=7 dec_npuid=0 enc_npuid=0
run_tally=0

Step 3. Delete existing tunnel 'vpn-1'.

diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=vpn-2 ver=1 serial=9 8.8.8.1:0->8.8.8.254:0 nexthop=0.0.0.0 tun_id=8.8.8.254 tun_id6=::8.8.8.254 dst_mtu=1500 dpd-link=on weight=1
bound_if=12 real_if=12 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=1863 txp=1863 rxb=134436 txb=134436
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=vpn-2 proto=0 sa=1 ref=4 serial=1
src: 0:10.0.200.0-10.0.200.255:0
dst: 0:10.0.3.0-10.0.3.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=41953/0B replaywin=2048
seqno=748 esn=0 replaywin_lastseq=00000748 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=b864d956 esp=aes key=16 09e9d747eb3b8120ac27b9a2bf935bbb
ah=sha1 key=20 fc502a2dd86822ffa966cce38d4fa53d0eee65f7
enc: spi=e64181a7 esp=aes key=16 eb375ae795af8d714556e80fd1e95fce
ah=sha1 key=20 22b0be415920353598b9055f6b9c5f403ca9f1ff
dec:pkts/bytes=3726/268872, enc:pkts/bytes=3726/388204
npu_flag=00 npu_rgwy=8.8.8.254 npu_lgwy=8.8.8.1 npu_selid=7 dec_npuid=0 enc_npuid=0
run_tally=0

No ping loss when deleting 'vpn-1' tunnel of the center and branch.