FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
DiegoBernardelli
Article Id 244414
Description This article describes how to synchronize and verify IPSec tunnel with FGSP.
Scope

FortiGate v7.0, FortiOS 7.2.

 

Related document:  https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/668583/fgsp

Solution

Scenario:

In this scenario, there are 2 FortiGates:

'FGT-1' acting as the primary.

'FGT-2' acting as a backup and a remote VPN gateway.

 

.......REMOTE VPN GATEWAY
...............10.100.100.3
.........................|
.........................|
.........................|
.........................|
10.100.100.1.....|.... 10.100.100.2
....FGT-1--------------FGT-2

192.168.1.1................192.168.1.2 

 

Review FGSP configuration:

 

FGT-1 (global) # sh sys standalone-cluster
config system standalone-cluster

    set standalone-group-id 1 <----- Each member of the FGSP group must use this ID.
    set group-member-id 5  <----- Each FGSP member must have a unique ID.
end

 

FGT-1 (global) # sh sys cluster-sync
config system cluster-sync
    edit 1
        set peerip 192.168.1.2  <----- FGSP sync interface IP on 'FGT-2'.
        set syncvd "root" "VD1" <----- Local VDOMs to be synchronized with 'FGT-2'.
    next
end

 

FGT-2 (global) # sh sys standalone-cluster
config system standalone-cluster

    set standalone-group-id 1
    set group-member-id 6
end

 

FGT-2 (global) # sh sys cluster-sync
config system cluster-sync
    edit 1
        set peerip 192.168.1.1 
        set syncvd "root" "VD1"
    next
end

 

Enable session sync on both nodes:

 

# config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
end

 

Configure VPN and enable FGSP sync:

 

On 'FGT-1':

 

# config vpn ipsec phase1-interface
    edit "test"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 
        set fgsp-sync enable  <----- Disabled by default.
        set remote-gw 10.100.100.3
        set psksecret "psk"
    next
end

 

On 'FGT-2':

 

# config vpn ipsec phase1-interface
    edit "test"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 
        set fgsp-sync enable
        set remote-gw 10.100.100.3
        set psksecret "psk"
    next
end

 

Verify the sync:

 

FGT-1 (root) # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test ver=2 serial=1 10.100.100.1:0->10.100.100.3:0 tun_id=10.5.5.1 tun_id6=::10.5.5.1 dst_mtu=1800 dpd-link=on weight=1
bound_if=27 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=43096377 olast=43096377 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1280 expire=42639/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=55bf2575 esp=aes key=16 208cecf80965c37b8a6912c69213c440
ah=sha1 key=20 bff9297474f072b3d84719bf75d6ba1135f0b9c1
enc: spi=db7e30c7 esp=aes key=16 cda33b33193a997cf64f3229eafb4ae3
ah=sha1 key=20 b7dd2e13d03a95afa7bb4ea086f185aa00dbc0d7
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.100.100.3 npu_lgwy=10.100.100.1 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

 

FGT-2 (root) # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test ver=2 serial=1 10.100.100.2:0->10.100.100.3:0 tun_id=10.5.5.2 tun_id6=::10.5.5.2 dst_mtu=1800 dpd-link=on weight=1
bound_if=26 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=standby accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=43097472 olast=43097472 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1280 expire=42675/0B replaywin=2048
seqno=10000001 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=55bf2575 esp=aes key=16 208cecf80965c37b8a6912c69213c440
ah=sha1 key=20 bff9297474f072b3d84719bf75d6ba1135f0b9c1
enc: spi=db7e30c7 esp=aes key=16 cda33b33193a997cf64f3229eafb4ae3
ah=sha1 key=20 b7dd2e13d03a95afa7bb4ea086f185aa00dbc0d7
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.100.100.3 npu_lgwy=10.100.100.2 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

 

 

Once the IPSec-related traffic is sent to 'FGT-2' (10.100.100.2), the roles will be swapped and re-negotiation is required as FGSP is sync-ing all the SAs and SPIs.

 

Note.

In order to synchronize sessions properly with FGSP, as session information sent from one FGSP group member needs to be installed on the other members' session tables, configurations like logical names used in firewall policies, IPsec interface names, VDOM names, firewall policy tables, and so on must match.