Description | This article describes the instability of IPsec VPN tunnels terminated on PPPoE interfaces. |
Scope | FortiGate. |
Solution |
Consider an IPsec VPN tunnel configured on FortiGate where FGT-I utilizes a PPPoE connection on the WAN interface.
config vpn ipsec phase1-interface
config system interface
It has been observed in several TAC cases that whenever the WAN connection (PPPoE) flaps or there is a short interruption, the IPsec VPN tunnels get affected and do not get reestablished. The reason is that the pppoe connection flap/restart creates a new pppoe session ID. The frames sent by FortiGate-I and received on FortiGate-II use different PPPoE session IDs resulting in IPsec VPN failure.
The PPPoE session ID can be found out by running a sniffer (packet capture) on the WAN interface.
An example of a PPPoE session ID (Session ID: 0x1c7f) can be shown in the below screenshot of the Wireshark capture.
On CLI, the below command will provide the PPPoE session ID.
Fortigate-I # fnsysctl cat /proc/net/pppoe
The session ID shown in CLI is in host order and the one shown on Wireshark is in network order. Hence, the session ID matches if the order is switched (1c7f <--> 7f1c).
In such scenarios when the IPsec VPN is not getting reestablished after the PPPoE connection flap, the IPsec tunnel interface utilizing the PPPoE connection should be shut down for a few minutes. This causes the old PPPoE session ID to be removed from the ISP side. Once the IPsec tunnel interface is brought up again after a few minutes, both FortiGate-I and FortiGate-II will share the same PPPoE session ID after which the IPsec tunnel will get re-established. This is not an issue on FortiGate but rather an issue on the PPPoE server side (ISP) which retains the old PPPoE session ID. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.