FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rathan_FTNT
Staff
Staff
Article Id 198524

Description

 

OCVPN now has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members.
Users can configure SD-WAN health checks and service rules to direct traffic over the OCVPN tunnels.

This article describes how to configure it.

Solution

 

The following example uses a dual hub and spoke topology.
Each hub and spoke have two WAN link connections to the ISP.
The spokes generate two IPsec tunnels to each hub (four tunnels in total).
BGP neighbors are established over each tunnel and routes from the hubs and other spokes learned from all neighbors, which forms an ECMP scenario.
All tunnels are placed as SD-WAN members, so traffic can be distributed across tunnels based on the configured SD-WAN service rules.


To integrate SD-WAN with OCVPN in the GUI:

Configure the primary hub.

 

  1. Go to VPN -> Overlay Controller VPN and set the 'Status' to 'Enable'.
  2. For Role, select 'Primary Hub'.
  3. Enter the WAN interfaces (port15 and port16) and tunnel IP allocation block (10.254.0.0/16).

    The WAN interface is position sensitive, meaning a tunnel will be created with the first position interface on the hub to the first position interface on the spoke, and so on.
    In this example, FGT_A (primary hub) will create two tunnels with FGT_C (spoke):

    - FGT_A port15 <==> FGT_C internal1
    - FGT_A port16 <==> FGT_C internal2

  4. Enable Auto-discovery shortcuts.
  5. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN members if SD-WAN is enabled.
  6. Configure the overlays on the primary hub:
  7. In the Overlays section, select 'Create New'.
  8. Enter a name and add the local interface (port2). Note the overlay is either based on local subnets or local interfaces, but not both.

    By default, inter-overlay traffic is not enabled. Toggle Allow traffic from other overlays to enable it.
  9. Select 'OK' and repeat these steps to create the second overlay (loop1).
  10. Select 'Apply'.
     
  11. Configure the secondary hub with the same settings as the primary hub.

Configure the spoke.

  1. Go to VPN -> Overlay Controller VPN and set the 'Status' to 'Enable'.
  2. For Role, select Spoke.
  3. Enter the WAN interfaces (internal1 and internal2).
  4. Enable Auto-discovery shortcuts.
  5. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN members if SD-WAN is enabled.
  6. Configure the overlays. The overlay names on the spokes have to match the hub for the traffic to be allowed through the same overlay.
  7. Select 'Apply'.
  8. Configure the other spoke with the same settings.
  9. On a spoke, go to Network -> SD-WAN Interfaces to view the configuration generated by OCVPN.
     
    Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface.
    Each policy will define the proper local and remote networks for its source and destination addresses.

    To integrate SD-WAN with OCVPN in the CLI.

 

  1. Configure the primary hub.

 

 

config vpn ocvpn
    set role primary-hub
    set sdwan enable   
    set wan-interface "port15" "port16"  
    set ip-allocation-block 10.254.0.0 255.255.0.0  
        config overlays
            edit "overlay1"
                config subnets
                    edit 1
                        set type interface
                        set interface "port2"
                    next
                end
             next
        edit "overlay2"
        config subnets
            edit 1
                set type interface
                set interface "loop1"
            next
         end
     next
end

 

 

  1. Configure the secondary hub with the same settings as the primary hub.


Configure the spoke.

 

 

config vpn ocvpn
    set status enable
    set sdwan enable
    set wan-interface "internal1" "internal2"
        config overlays
            edit "overlay1"
                config subnets
                    edit 1
                        set type interface
                        set interface "wan2"
                    next
                end
            next
            edit "overlay2"
                config subnets
                    edit 1
                        set type interface
                        set interface "loop1"
                    next
                end
            next
         end

 

 

  1. Configure the other spoke with the same settings.



Configure SD-WAN.

 

 

config system virtual-wan-link
    set status enable
        config members
            edit 1
                set interface "_OCVPN2-0a"
            next
            edit 2
                set interface "_OCVPN2-0b"
            next
                edit 3
                    set interface "_OCVPN2-1a"
                 next
                     edit 4
                         set interface "_OCVPN2-1b"
                 next
            end
       end

 

Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface.
Each policy will define the proper local and remote networks for its source and destination addresses.

To verify the integration is working after the ADVPN shortcut is triggered:

  1. Check the routing table on the spoke:

 

 

FGT_C # get router info routing-table all
3.    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
4.           O - OSPF, IA - OSPF inter area
5.           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
6.           E1 - OSPF external type 1, E2 - OSPF external type 2
7.           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
8.           * - candidate default
9.   
10.    Routing table for VRF=0
11.    S*      0.0.0.0/0 [10/0] via 172.16.17.2, internal1
12.                      [10/0] via 172.16.18.2, internal2
13.    B       10.1.100.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
14.                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
15.    B       10.1.200.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
16.                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
17.    B       10.2.100.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
18.                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
19.    B       10.2.200.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
20.                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
21.    B       10.254.0.0/16 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:15
22.                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:15
23.                          [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
24.                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
25.    C       10.254.0.0/21 is directly connected, _OCVPN2-0a
26.    C       10.254.0.1/32 is directly connected, _OCVPN2-0a
27.    C       10.254.8.0/21 is directly connected, _OCVPN2-0b
28.    C       10.254.8.1/32 is directly connected, _OCVPN2-0b
29.    C       10.254.64.0/21 is directly connected, _OCVPN2-1a
30.    C       10.254.64.1/32 is directly connected, _OCVPN2-1b_0 <==shortcut tunnel
31.    C       10.254.64.2/32 is directly connected, _OCVPN2-1a
32.    C       10.254.72.0/21 is directly connected, _OCVPN2-1b
33.    C       10.254.72.2/32 is directly connected, _OCVPN2-1b
34.                           is directly connected, _OCVPN2-1b_0
35.    C       172.16.17.0/24 is directly connected, internal1
36.    C       172.16.18.0/24 is directly connected, internal2
37.    C       172.16.200.0/24 is directly connected, wan1
38.    C       192.168.1.0/24 is directly connected, internal
39.    C       192.168.4.0/24 is directly connected, wan2
40.    B       192.168.5.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
41.                           [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
42.                           [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
43.                           [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
44.                           [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
45.                           [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
46.                           [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
47.                           [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
48.    C       192.168.44.0/24 is directly connected, loop1
49.    B       192.168.55.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
50.                            [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
51.                            [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
52.                            [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
53.                            [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
54.                            [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
55.                            [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                        [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10

 

  1. Check the VPN tunnel state:

 

FGT_C # diagnose vpn tunnel list
4.   
5.    list all ipsec tunnel in vd 0
6.    ------------------------------------------------------
7.    name=_OCVPN2-1b_0 ver=2 serial=1c 172.16.18.3:0->172.16.15.4:0 dst_mtu=1500
8.    bound_if=9 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc  accept_traffic=1 overlay_id=4
9.   
10.     parent=_OCVPN2-1b index=0
11.    proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=r/2
12.    stat: rxp=641 txp=1025 rxb=16436 txb=16446
13.    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
14.    natt: mode=none draft=0 interval=0 remote_port=0
15.    proxyid=_OCVPN2-1b proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
16.      src: 0:0.0.0.0/0.0.0.0:0
17.      dst: 0:0.0.0.0/0.0.0.0:0
18.      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=42650/0B replaywin=1024
19.           seqno=407 esn=0 replaywin_lastseq=00000280 itn=0 qat=0 hash_search_len=1
20.      life: type=01 bytes=0/0 timeout=43186/43200
21.      dec: spi=90f03d9d esp=aes key=16 6cb33685bbc67d5c85488e0176ecf7b0
22.           ah=sha1 key=20 7d11b3babe62c840bf444b7b1f637b4324722a71
23.      enc: spi=7bc94bda esp=aes key=16 b4d8fc731d411eb24448b4077a5872ca
24.           ah=sha1 key=20 b724064d827304a6d80385ed4914461108b7312f
25.      dec:pkts/bytes=641/16368, enc:pkts/bytes=2053/123426
26.      npu_flag=03 npu_rgwy=172.16.15.4 npu_lgwy=172.16.18.3 npu_selid=1f dec_npuid=1 enc_npuid=1
27.    ------------------------------------------------------
28.    name=_OCVPN2-0a ver=2 serial=18 172.16.17.3:0->172.16.13.1:0 dst_mtu=1500
29.    bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=1
30.   
31.    proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2
32.    stat: rxp=1665 txp=2922 rxb=278598 txb=70241
33.    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
34.    natt: mode=none draft=0 interval=0 remote_port=0
35.    proxyid=_OCVPN2-0a proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
36.      src: 0:0.0.0.0/0.0.0.0:0
37.      dst: 0:0.0.0.0/0.0.0.0:0
38.      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
39.           seqno=890 esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
40.      life: type=01 bytes=0/0 timeout=42899/43200
41.      dec: spi=90f03d95 esp=aes key=16 a6ffcc197bb1b46ec745d0b595cdd69a
42.           ah=sha1 key=20 8007c134e41edf282f95daf9c9033d688ef05ccc
43.      enc: spi=a1bf21bf esp=aes key=16 ead05be389b0dec222f969e2f9c46b1d
44.           ah=sha1 key=20 b04105d34d4b0e61b018f2e60591f9b1510783bb
45.      dec:pkts/bytes=1665/278538, enc:pkts/bytes=4237/265074
46.      npu_flag=03 npu_rgwy=172.16.13.1 npu_lgwy=172.16.17.3 npu_selid=1b dec_npuid=1 enc_npuid=1
47.    ------------------------------------------------------
48.    name=_OCVPN2-1a ver=2 serial=1a 172.16.17.3:0->172.16.11.1:0 dst_mtu=1500
49.    bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=3
50.   
51.    proxyid_num=1 child_num=0 refcnt=17 ilast=0 olast=0 ad=r/2
52.    stat: rxp=1 txp=2913 rxb=16376 txb=69642
53.    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=5
54.    natt: mode=none draft=0 interval=0 remote_port=0
55.    proxyid=_OCVPN2-1a proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
56.      src: 0:0.0.0.0/0.0.0.0:0
57.      dst: 0:0.0.0.0/0.0.0.0:0
58.      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41653/0B replaywin=1024
59.           seqno=887 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
60.      life: type=01 bytes=0/0 timeout=42900/43200
61.      dec: spi=90f03d9b esp=aes key=16 ee03f5b0f617a26c6177e91d60abf90b
62.           ah=sha1 key=20 f60cbbc4ebbd6d0327d23137da707b7ab2dc49e6
63.      enc: spi=a543a7d3 esp=aes key=16 1d37efab13a5c0347b582b2198b15cb8
64.           ah=sha1 key=20 427ee4c82bac6f26f0bcabfe04328c7f57ce682e
65.      dec:pkts/bytes=1/16316, enc:pkts/bytes=4229/264036
66.      npu_flag=03 npu_rgwy=172.16.11.1 npu_lgwy=172.16.17.3 npu_selid=1d dec_npuid=1 enc_npuid=1
67.    ------------------------------------------------------
68.    name=_OCVPN2-0b ver=2 serial=19 172.16.18.3:0->172.16.14.1:0 dst_mtu=1500
69.    bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=2
70.   
71.    proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2
72.    stat: rxp=1665 txp=2917 rxb=278576 txb=69755
73.    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
74.    natt: mode=none draft=0 interval=0 remote_port=0
75.    proxyid=_OCVPN2-0b proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
76.      src: 0:0.0.0.0/0.0.0.0:0
77.      dst: 0:0.0.0.0/0.0.0.0:0
78.      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
79.           seqno=88b esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
80.      life: type=01 bytes=0/0 timeout=42899/43200
81.      dec: spi=90f03d96 esp=aes key=16 9d7eb233c1d095b30796c3711d53f2fd
82.           ah=sha1 key=20 d8feacd42b5e0ba8b5e38647b2f2734c94644bd1
83.      enc: spi=a1bf21c0 esp=aes key=16 d2c0984bf86dc504c5475230b24034f0
84.           ah=sha1 key=20 3946e4033e1f42b0d9a843b94448f56fd5b57bee
85.      dec:pkts/bytes=1665/278516, enc:pkts/bytes=4233/264411
86.      npu_flag=03 npu_rgwy=172.16.14.1 npu_lgwy=172.16.18.3 npu_selid=1c dec_npuid=1 enc_npuid=1
87.    ------------------------------------------------------
88.    name=_OCVPN2-1b ver=2 serial=1b 172.16.18.3:0->172.16.12.1:0 dst_mtu=1500
89.    bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=4
90.   
91.    proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=0 ad=r/2
92.    stat: rxp=1 txp=2922 rxb=16430 txb=70173
93.    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=4
94.    natt: mode=none draft=0 interval=0 remote_port=0
95.    proxyid=_OCVPN2-1b proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
96.      src: 0:0.0.0.0/0.0.0.0:0
97.      dst: 0:0.0.0.0/0.0.0.0:0
98.      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41656/0B replaywin=1024
99.           seqno=890 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
100.      life: type=01 bytes=0/0 timeout=42903/43200
101.      dec: spi=90f03d9c esp=aes key=16 a655767c1ed6cff4575857eb3981ad81
102.           ah=sha1 key=20 bfc2bccd7103a201be2641d4c6147d437d2c3f70
103.      enc: spi=a543a7d4 esp=aes key=16 7221b814e483165b01edfdc8260d261a
104.           ah=sha1 key=20 d54819643c2f1b20da2aea4282d50a1f1bc1d72a
105.      dec:pkts/bytes=1/16370, enc:pkts/bytes=4238/265164
  npu_flag=03 npu_rgwy=172.16.12.1 npu_lgwy=172.16.18.3 npu_selid=1e dec_npuid=1 enc_npuid=1

 

  1. Check the SD-WAN state:

 

FGT_C # diagnose system virtual-wan-link health-check
5.    Health Check(Default_DNS):
6.    Health Check(Default_Office_365):
7.    Health Check(Default_Gmail):
8.    Health Check(Default_AWS):
9.    Health Check(Default_Google Search):
10.    Health Check(Default_FortiGuard):
11.    Health Check(ocvpn):
12.    Seq(1 _OCVPN2-0a): state(alive), packet-loss(0.000%) latency(0.364), jitter(0.028) sla_map=0x0
13.    Seq(2 _OCVPN2-0b): state(alive), packet-loss(0.000%) latency(0.287), jitter(0.026) sla_map=0x0
14.    Seq(3 _OCVPN2-1a): state(dead), packet-loss(100.000%) sla_map=0x0
15.    Seq(4 _OCVPN2-1b): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(4 _OCVPN2-1b_0): state(alive), packet-loss(0.000%) latency(0.289), jitter(0.029) sla_map=0x0

 

Related articles: