|
Scenario:
This Fortinet-specific setting allows two FortiGates to exchange their tunnel IP (aka, overlay IP) addresses during IKE SA negotiation.
Typical use cases include:
- Allows ADVPN Spokes to learn each other's tunnel IP during shortcut negotiation.
- Allows a dial-up server (Hub) to learn the tunnel IP of each dial-up client (Spoke).
Take for example when an overlay IP on the IPsec site-to-site tunnel is configured, and it is not possible to see the remote virtual interface address on 'FGT B' when running diagnose vpn ike gateway list.
'FGT A':
FGT_1 (root) # diagnose vpn ike gateway list
vd: root/0
name: SiteA-to-SiteB
version: 1
interface: port1 3
addr: 10.47.2.86:500 -> 10.47.1.80:500
tun_id: 10.47.1.80/::10.47.1.80
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 2028s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 42 3a5806a029430704/38637eb460746826
direction: initiator
status: established 2028-2028s ago = 0ms
proposal: aes128-sha256
key: fc443e8594fa5be2-eae13f4db24b4d78
lifetime/rekey: 86400/84071
DPD sent/recv: 000000b1/00000000
'FGT B':
FGT2 # diagnose vpn ike gateway list
vd: root/0
name: SiteB-to-SiteA
version: 1
interface: port1 3
addr: 10.47.1.80:500 -> 10.47.2.86:500
tun_id: 10.47.1.42/::10.47.1.42
remote_location: 0.0.0.0
virtual-interface-addr: 1.1.1.2 -> 0.0.0.0 <----- Peer tunnel IP 0.0.0.0.
created: 5s ago
IKE SA: created 1/1 established 1/1 time 3010/3010/3010 ms
IPsec SA: created 0/0
id/spi: 88 c1718e324764386b/d65d4e488943caa3
direction: responder
status: established 5-2s ago = 3010ms
proposal: aes128-sha256
key: c5a5f3d03a2b9d54-ee76ddcb919e6e3d
lifetime/rekey: 86400/86127
DPD sent/recv: 00000000/00000000
Solution:
'FGT A':
FGT_1 (root) # config vpn ipsec phase1-interface
FGT_1 (phase1-interface) # edit SiteA-to-SiteB
FGT_1 (SiteA-to-SiteB) # set exchange-interface-ip enable
FGT_1 (SiteA-to-SiteB) # end
'FGT B':
FGT2 # config vpn ipsec phase1-interface
FGT2 (phase1-interface) # edit SiteB-to-SiteA
FGT2 (SiteB-to-SiteA) # set exchange-interface-ip enable
FGT2 (SiteB-to-SiteA) # end
Result:
'FGT A':
FGT_1 (root) # diagnose vpn ike gateway list
vd: root/0
name: SiteA-to-SiteB
version: 1
interface: port1 3
addr: 10.47.2.86:500 -> 10.47.1.80:500
tun_id: 10.47.1.80/::10.47.1.80
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 248s ago
IKE SA: created 1/2 established 1/2 time 0/1505/3010 ms
IPsec SA: created 1/3 established 1/3 time 0/3/10 ms
id/spi: 44 dd252f768a70b65c/da730f5822a63bd0
direction: responder
status: established 62-62s ago = 0ms
proposal: aes128-sha256
key: cf2043f5089e030c-a3786083706517b7
lifetime/rekey: 86400/86067
DPD sent/recv: 00000000/00000000
'FGT B':
FGT2 # diagnose vpn ike gateway list
vd: root/0
name: SiteB-to-SiteA
version: 1
interface: port1 3
addr: 10.47.1.80:500 -> 10.47.2.86:500
tun_id: 10.47.1.42/::10.47.1.42
remote_location: 0.0.0.0
virtual-interface-addr: 1.1.1.2 -> 1.1.1.1 <----- Peer tunnel IP exchanged.
created: 30s ago
IKE SA: created 1/1 established 1/1 time 3010/3010/3010 ms
IPsec SA: created 0/1 established 0/1 time 0/0/0 ms
id/spi: 89 dd252f768a70b65c/da730f5822a63bd0
direction: initiator
status: established 30-27s ago = 3010ms
proposal: aes128-sha256
key: cf2043f5089e030c-a3786083706517b7
lifetime/rekey: 86400/86072
DPD sent/recv: 00000000/00000000
IPs to the IPsec interfaces can be assigned statically, by DHCP, or by mode config.
For one FortiGate to know its IPsec neighbor peer, the IP 'exchange-interface-ip'setting is used to exchange the overlay interface IP addresses between peers.
'exchange-ip-addr4'can be used to explicitly announce the IP address willing to be exchanged. It may be any desired IP (usually used on ADVPN with BGP on loopback scenarios). If the option is not available to be used, enable 'exchange-interface-ip' prior to it.
Note:
In case of phase-1 up and phase-2 down, FortiGate will keep the route associated with exchange-ip-addr4 active in the routing table, because the 'exchange-ip-addr4' is part of the phase-1 configuration and is exchanged during phase-1
If auto-discovery options (sender and receiver) and 'exchange-interface-ip' are both disabled, the tunnel_id on FortiGate HUB will be the remote gateway IP instead of the remote IPSec tunnel interface IP.
Under this condition, HUB will no longer forward the packets since it is unable to find the correct SA to encrypt the packet.
negotiation.
This behavior is shown in the next example, where HUB debug flow shows that traffic is not encrypted because no tunnel_id associated with an IPsec SA is found:
id=65308 trace_id=137117 func=print_pkt_detail line=5932 msg="vd-root:0 received a packet(proto=1, 3.2.1.1:3359->1.2.3.4:2048) tun_id=0.0.0.0 from Internal1. type=8, code=0, id=3359, seq=64992."
id=65308 trace_id=137117 func=init_ip_session_common line=6124 msg="allocate a new session-02c267e1"
id=65308 trace_id=137117 func=iprope_dnat_check line=5480 msg="in-[Internal1], out-[]"
id=65308 trace_id=137117 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=137117 func=iprope_dnat_check line=5505 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=137117 func=rpdb_srv_match_input line=1150 msg="Match policy routing id=2146172933: to 1.2.3.4 via ifindex-28"
id=65308 trace_id=137117 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-10.143.240.3 via HUB-ISP-WAN-1"
id=65308 trace_id=137117 func=__iprope_fwd_check line=810 msg="in-[Internal1], out-[HUB-ISP-WAN-1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
...
id=65308 trace_id=137117 func=fw_forward_handler line=1001 msg="Allowed by Policy-13:"
id=65308 trace_id=137117 func=ip_session_confirm_final line=3131 msg="npu_state=0x40101, hook=4"
id=65308 trace_id=137117 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface HUB-ISP-WAN-1, tun_id=0.0.0.0"
The output of 'diagnose vpn ike gateway list name HUB-ISP-WAN-1' does not contain the remote IPSec tunnel interface IP (overlay IP), neither on the tunnel_id nor the virtual-interface-addr:
FGT-HUB # diagnose vpn ike gateway list name HUB-ISP-WAN-1_3
vd: root/1
name: HUB-ISP-WAN-1_3
version: 2
interface: VLAN_INET 9
addr: 150.210.120.110:500 -> 196.57.89.218:500
tun_id: 196.57.89.218/::10.0.0.188 <----
remote_location: 0.0.0.0
network-id: 1
transport: UDP
virtual-interface-addr: 10.13.140.1 -> 10.13.140.2 <----
created: 459s ago
peer-id: 186.67.99.238
peer-id-auth: no
pending-queue: 0
After 'exchange-interface-ip' is enabled on both peers, the overlay IP is exchanged during VPN IKE negotiation, and that IP is used as tunnel_id and virtual-interface-addr:
2025-06-17 18:24:26.434254 ike V=root:1:HUB-ISP-WAN-1:344188: responder received AUTH msg
2025-06-17 18:24:26.434260 ike V=root:1:HUB-ISP-WAN-1:344188: processing notify type INITIAL_CONTACT
2025-06-17 18:24:26.434276 ike V=root:1:HUB-ISP-WAN-1:344188: processing notify type INTERFACE_ADDR4
2025-06-17 18:24:26.434287 ike V=root:1:HUB-ISP-WAN-1:344188: INTERFACE-ADDR4 10.13.140.3
...
2025-06-17 18:24:26.434617 ike V=root:1:HUB-ISP-WAN-1_3: tunnel created tun_id 10.13.140.3/::10.0.0.190 remote_location 0.0.0.0 <---
...
2025-06-17 18:24:26.434724 ike V=root:1:HUB-ISP-WAN-1_3:344188: update peer route 0.0.0.0 -> 10.13.140.3
2025-06-17 18:24:26.434735 ike V=root:1:HUB-ISP-WAN-1_3: HA send IKE connection add 150.210.120.110->196.57.89.218
After that, the debug flow shows the correct SA associated with the tunnel_id:
2025-06-17 18:27:19 id=65308 trace_id=138555 func=rpdb_srv_match_input line=1150 msg="Match policy routing id=2146172933: to 1.2.3.4 via ifindex-28"
2025-06-17 18:27:19 id=65308 trace_id=138555 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-10.13.140.3 via HUB-ISP-WAN-1"
2025-06-17 18:27:19 id=65308 trace_id=138555 func=__iprope_fwd_check line=810 msg="in-[Internal1], out-[HUB-ISP-WAN-1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
...
2025-06-17 18:27:19 id=65308 trace_id=138555 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2025-06-17 18:27:19 id=65308 trace_id=138555 func=fw_forward_handler line=1001 msg="Allowed by Policy-13:"
2025-06-17 18:27:19 id=65308 trace_id=138555 func=ip_session_confirm_final line=3131 msg="npu_state=0x40101, hook=4"
2025-06-17 18:27:19 id=65308 trace_id=138555 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface HUB-ISP-WAN-1, tun_id=0.0.0.0"
2025-06-17 18:27:19 id=65308 trace_id=138555 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel HUB-ISP-WAN-1_3, tun_id=10.13.140.3, vrf 0"
FGT-HUB # diagnose vpn ike gateway list name HUB-ISP-WAN-1_3
vd: root/1
name: HUB-ISP-WAN-1_3
version: 2
interface: VLAN_INET 9
addr: 150.210.120.110:500 -> 196.57.89.218:500
tun_id: 10.13.140.3/::10.0.0.190 <--
remote_location: 0.0.0.0
network-id: 1
transport: UDP
virtual-interface-addr: 10.13.140.1 -> 10.13.140.3 <---
created: 20s ago
peer-id: 196.57.89.218
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 60/60/60 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
|
