Description
Packets are lost during phase2 rekey when using NP offloading.
This article explains possible solutions to avoid packet loss.
Solution
In transparent mode, the FortiGate learns MAC addresses and creates the forwarding database (FDB).
The peer device's MAC address is saved in FDB record which is created by using source MAC address of broadcasts request such as ARP and FortiGate processes packet forwarding with based on FDB.
IPsec VPN is established between peer devices and its VPN traffic is offloaded. After that, the FortiGate cannot update their peer device's FDB records. Therefore, if the phase 2 rekey is performed after their FDB records expired, packets are lost because their FDB record do not exist at this time. This will continue until new FDB records are created by broadcast ARP to resolve MAC address.
To avoid this, it is strongly recommended to create a static MAC and ARP entry for the peer device's MAC/IP address.
Diagram
PC ==== (port1)[FGT1](port2) ==== (port2)[FGT2](port1) ==== Server
All devices have been installed on the same domain. (FGT1, FGT2, PC, Server)
PC
MAC: 00:50:56:00:76:03
IP: 192.168.1.101
FGT1
Management IP: 192.168.1.1
FGT2
Management IP: 192.168.1.2
Server
IP: 192.168.1.102
MAC: 00:50:56:00:76:04
Configuration
Only relevant parts of configuration are described.
1) FGT1
config vpn ipsec phase1
edit "to_FGT2"
set local-gw 192.168.1.1
set proposal 3des-sha1 aes128-sha1 des-md5
set remote-gw 192.168.1.2
set psksecret fortinet
next
end
config vpn ipsec phase2
edit "to_FGT2"
set keepalive enable
set phase1name "to_FGT2"
set proposal 3des-sha1 aes128-sha1
next
end
config firewall policy
edit 1
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "to_FGT2"
next
end
config system arp-table
# Server IP/MAC
edit 1
set interface port2
set ip 192.168.1.102
set mac 00:50:56:00:76:04
next
# PC IP/MAC
edit 2
set interface port1
set ip 192.168.1.101
set mac 00:50:56:00:76:03
next
end
config system mac-address-table
# Server MAC
edit 00:50:56:00:76:04
set interface port2
next
# PC MAC
edit 00:50:56:00:76:03
set interface port1
next
end
2) FGT2
config vpn ipsec phase1
edit "to_FGT1"
set local-gw 192.168.1.2
set proposal 3des-sha1 aes128-sha1 des-md5
set remote-gw 192.168.1.1
set psksecret fortinet
next
end
config vpn ipsec phase2
edit "to_FGT1"
set keepalive enable
set phase1name "to_FGT1"
set proposal 3des-sha1 aes128-sha1
next
end
config firewall policy
edit 1
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "to_FGT1"
next
end
config system arp-table
# Server IP/MAC
edit 1
set interface port1
set ip 192.168.1.102
set mac 00:50:56:00:76:04
next
# PC IP/MAC
edit 2
set interface port2
set ip 192.168.1.101
set mac 00:50:56:00:76:03
next
end
config system mac-address-table
# Server MAC
edit 00:50:56:00:76:04
set interface port1
next
# PC MAC
edit 00:50:56:00:76:03
set interface port2
next
end
Related Articles
Technical Note: Building a Layer-2 VPN with VxLAN over IPsec
