Technical Tip: How to sync IPSec VPNs with FGSP

DiegoBernardelli · ‎01-31-2023

Description

This article describes how to synchronize and verify IPSec tunnel with FGSP.

Scope

FortiGate v7.0, FortiOS 7.2.

Related document: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/668583/fgsp

Solution

Scenario:

In this scenario, there are 2 FortiGates:

'FGT-1' acting as the primary.

'FGT-2' acting as a backup and a remote VPN gateway.

.......REMOTE VPN GATEWAY
...............10.100.100.3
.........................|
.........................|
.........................|
.........................|
10.100.100.1.....|.... 10.100.100.2
....FGT-1--------------FGT-2

192.168.1.1................192.168.1.2

Review FGSP configuration:

FGT-1 (global) # sh sys standalone-cluster
config system standalone-cluster

set standalone-group-id 1 <----- Each member of the FGSP group must use this ID.
set group-member-id 5 <----- Each FGSP member must have a unique ID.
end

FGT-1 (global) # sh sys cluster-sync
config system cluster-sync
edit 1
set peerip 192.168.1.2 <----- FGSP sync interface IP on 'FGT-2'.
set syncvd "root" "VD1" <----- Local VDOMs to be synchronized with 'FGT-2'.
next
end

FGT-2 (global) # sh sys standalone-cluster
config system standalone-cluster

set standalone-group-id 1
set group-member-id 6
end

FGT-2 (global) # sh sys cluster-sync
config system cluster-sync
edit 1
set peerip 192.168.1.1
set syncvd "root" "VD1"
next
end

Enable session sync on both nodes:

# config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
end

Configure VPN and enable FGSP sync:

On 'FGT-1':

# config vpn ipsec phase1-interface
edit "test"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set fgsp-sync enable <----- Disabled by default.
set remote-gw 10.100.100.3
set psksecret "psk"
next
end

On 'FGT-2':

# config vpn ipsec phase1-interface
edit "test"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set fgsp-sync enable
set remote-gw 10.100.100.3
set psksecret "psk"
next
end

Verify the sync:

FGT-1 (root) # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test ver=2 serial=1 10.100.100.1:0->10.100.100.3:0 tun_id=10.5.5.1 tun_id6=::10.5.5.1 dst_mtu=1800 dpd-link=on weight=1
bound_if=27 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=43096377 olast=43096377 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1280 expire=42639/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=55bf2575 esp=aes key=16 208cecf80965c37b8a6912c69213c440
ah=sha1 key=20 bff9297474f072b3d84719bf75d6ba1135f0b9c1
enc: spi=db7e30c7 esp=aes key=16 cda33b33193a997cf64f3229eafb4ae3
ah=sha1 key=20 b7dd2e13d03a95afa7bb4ea086f185aa00dbc0d7
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.100.100.3 npu_lgwy=10.100.100.1 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

FGT-2 (root) # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test ver=2 serial=1 10.100.100.2:0->10.100.100.3:0 tun_id=10.5.5.2 tun_id6=::10.5.5.2 dst_mtu=1800 dpd-link=on weight=1
bound_if=26 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=standby accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=43097472 olast=43097472 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1280 expire=42675/0B replaywin=2048
seqno=10000001 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=55bf2575 esp=aes key=16 208cecf80965c37b8a6912c69213c440
ah=sha1 key=20 bff9297474f072b3d84719bf75d6ba1135f0b9c1
enc: spi=db7e30c7 esp=aes key=16 cda33b33193a997cf64f3229eafb4ae3
ah=sha1 key=20 b7dd2e13d03a95afa7bb4ea086f185aa00dbc0d7
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.100.100.3 npu_lgwy=10.100.100.2 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0

Once the IPSec-related traffic is sent to 'FGT-2' (10.100.100.2), the roles will be swapped and re-negotiation is required as FGSP is sync-ing all the SAs and SPIs.

Note.

In order to synchronize sessions properly with FGSP, as session information sent from one FGSP group member needs to be installed on the other members' session tables, configurations like logical names used in firewall policies, IPsec interface names, VDOM names, firewall policy tables, and so on must match.