FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FJT_FTNT
Staff
Staff

Description

Packets are lost during phase2 rekey when using NP offloading.

This article explains possible solutions to avoid packet loss.   


Solution

In transparent mode, the FortiGate learns MAC addresses and creates the forwarding database (FDB).

The peer device's MAC address is saved in FDB record which is created by using source MAC address of broadcasts request such as ARP and FortiGate processes packet forwarding with based on FDB.

IPsec VPN is established between peer devices and its VPN traffic is offloaded.  After that, the FortiGate cannot update their peer device's FDB records.  Therefore, if the phase 2 rekey is performed after their FDB records expired, packets are lost because their FDB record do not exist at this time. This will continue until new FDB records are created by broadcast ARP to resolve MAC address.

To avoid this, it is strongly recommended to create a static MAC and ARP entry for the peer device's MAC/IP address.


Diagram

PC ==== (port1)[FGT1](port2)  ==== (port2)[FGT2](port1)  ==== Server

All devices have been installed on the same domain. (FGT1, FGT2, PC, Server)

PC
MAC: 00:50:56:00:76:03
IP:  192.168.1.101

FGT1
Management IP: 192.168.1.1

FGT2
Management IP: 192.168.1.2

Server
IP:  192.168.1.102
MAC: 00:50:56:00:76:04


Configuration

Only relevant parts of configuration are described.

1) FGT1

config vpn ipsec phase1
    edit "to_FGT2"
       set local-gw 192.168.1.1
       set proposal 3des-sha1 aes128-sha1 des-md5
       set remote-gw 192.168.1.2
       set psksecret fortinet
    next
end
config vpn ipsec phase2
    edit "to_FGT2"
       set keepalive enable
       set phase1name "to_FGT2"
       set proposal 3des-sha1 aes128-sha1
    next
end
config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "to_FGT2"
    next
end
config system arp-table
    # Server IP/MAC
    edit 1
        set interface port2
        set ip 192.168.1.102
        set mac 00:50:56:00:76:04
    next
    # PC IP/MAC
    edit 2
        set interface port1
        set ip 192.168.1.101
        set mac 00:50:56:00:76:03
    next
end
config system mac-address-table
    # Server MAC
    edit 00:50:56:00:76:04
      set interface port2
    next
    # PC MAC
    edit 00:50:56:00:76:03
      set interface port1
    next
end

 2) FGT2

config vpn ipsec phase1
    edit "to_FGT1"
       set local-gw 192.168.1.2
       set proposal 3des-sha1 aes128-sha1 des-md5
       set remote-gw 192.168.1.1
       set psksecret fortinet
    next
end
config vpn ipsec phase2
    edit "to_FGT1"
       set keepalive enable
       set phase1name "to_FGT1"
       set proposal 3des-sha1 aes128-sha1
    next
end
config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "to_FGT1"
    next
end

 config system arp-table
    # Server IP/MAC
    edit 1
        set interface port1
        set ip 192.168.1.102
        set mac 00:50:56:00:76:04
    next
    # PC IP/MAC
    edit 2
        set interface port2
        set ip 192.168.1.101
        set mac 00:50:56:00:76:03
    next
end
config system mac-address-table
    # Server MAC
    edit 00:50:56:00:76:04
      set interface port1
    next
    # PC MAC
    edit 00:50:56:00:76:03
      set interface port2
    next
end

Related Articles

Technical Note: Building a Layer-2 VPN with VxLAN over IPsec

Contributors