|
Scenario:
This Fortinet-specific setting allows two FortiGates to exchange their tunnel IP (aka, overlay IP) addresses during IKE SA negotiation.
Typical use cases include:
- Allows ADVPN Spokes to learn each other's tunnel IP during shortcut negotiation.
- Allows a dialup server (Hub) to learn the tunnel IP of each dialup client (Spoke).
It is configured overlay IP on the IPSEC site-to-site tunnel, and it is not possible to see the remote virtual interface address on FGT B when running diag vpn ike gateway list.
FGT A:
FGT_1 (root) # diag vpn ike gateway list
vd: root/0
name: SiteA-to-SiteB
version: 1
interface: port1 3
addr: 10.47.2.86:500 -> 10.47.1.80:500
tun_id: 10.47.1.80/::10.47.1.80
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 2028s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 42 3a5806a029430704/38637eb460746826
direction: initiator
status: established 2028-2028s ago = 0ms
proposal: aes128-sha256
key: fc443e8594fa5be2-eae13f4db24b4d78
lifetime/rekey: 86400/84071
DPD sent/recv: 000000b1/00000000
FGT B:
FGT2 # diag vpn ike gateway list
vd: root/0
name: SiteB-to-SiteA
version: 1
interface: port1 3
addr: 10.47.1.80:500 -> 10.47.2.86:500
tun_id: 10.47.1.42/::10.47.1.42
remote_location: 0.0.0.0
virtual-interface-addr: 1.1.1.2 -> 0.0.0.0
created: 5s ago
IKE SA: created 1/1 established 1/1 time 3010/3010/3010 ms
IPsec SA: created 0/0
id/spi: 88 c1718e324764386b/d65d4e488943caa3
direction: responder
status: established 5-2s ago = 3010ms
proposal: aes128-sha256
key: c5a5f3d03a2b9d54-ee76ddcb919e6e3d
lifetime/rekey: 86400/86127
DPD sent/recv: 00000000/00000000
Solution:
FGT A:
FGT_1 (root) # config vpn ipsec phase1-interface
FGT_1 (phase1-interface) # edit SiteA-to-SiteB
FGT_1 (SiteA-to-SiteB) # set exchange-interface-ip enable
FGT_1 (SiteA-to-SiteB) # end
FGT B:
FGT2 # config vpn ipsec phase1-interface
FGT2 (phase1-interface) # edit SiteB-to-SiteA
FGT2 (SiteB-to-SiteA) # set exchange-interface-ip enable
FGT2 (SiteB-to-SiteA) # end
Result:
FGT A:
FGT_1 (root) # diag vpn ike gateway list
vd: root/0
name: SiteA-to-SiteB
version: 1
interface: port1 3
addr: 10.47.2.86:500 -> 10.47.1.80:500
tun_id: 10.47.1.80/::10.47.1.80
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 248s ago
IKE SA: created 1/2 established 1/2 time 0/1505/3010 ms
IPsec SA: created 1/3 established 1/3 time 0/3/10 ms
id/spi: 44 dd252f768a70b65c/da730f5822a63bd0
direction: responder
status: established 62-62s ago = 0ms
proposal: aes128-sha256
key: cf2043f5089e030c-a3786083706517b7
lifetime/rekey: 86400/86067
DPD sent/recv: 00000000/00000000
FGT B:
FGT2 # diag vpn ike gateway list
vd: root/0
name: SiteB-to-SiteA
version: 1
interface: port1 3
addr: 10.47.1.80:500 -> 10.47.2.86:500
tun_id: 10.47.1.42/::10.47.1.42
remote_location: 0.0.0.0
virtual-interface-addr: 1.1.1.2 -> 1.1.1.1
created: 30s ago
IKE SA: created 1/1 established 1/1 time 3010/3010/3010 ms
IPsec SA: created 0/1 established 0/1 time 0/0/0 ms
id/spi: 89 dd252f768a70b65c/da730f5822a63bd0
direction: initiator
status: established 30-27s ago = 3010ms
proposal: aes128-sha256
key: cf2043f5089e030c-a3786083706517b7
lifetime/rekey: 86400/86072
DPD sent/recv: 00000000/00000000
IPsec exchange interface is a good alternative to the IKE mode config. Instead of using IKE mode to assign addresses automatically, it is possible for FortiGate to exchange the IP addresses automatically.
Note that FortiGate uses a Fortinet proprietary attribute to exchange the IP addresses, which means that it can exchange IP addresses using IKE only when both peers are FortiGates.
|
