Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akristof
Staff
Staff

Created on ‎07-26-2019 02:43 AM

Article Id 190773

Technical Tip: SD-WAN with DDNS type IPsec

Description
This article explains how to have IPsec tunnel to be part of the SD-WAN, with the tunnel in type ddns (as remote site does not have static IP address and using ddns feature).

Solution
This KB is focused on problem with SD-WAN static route, when DDNS tunnel type is part of the SD-WAN.

FGT1 (10.109.16.191, port1) -------- < internet > --------- (labfrance.fortiddns.com, wan1) FGT2

FGT1 has static IP.
FGT2 doesn’t have static IP, so it is using DDNS feature.

FGT2 config:

#FGT92D-1 # show system ddns
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "labfrance.fortiddns.com"
set monitor-interface "wan1"
next
end

#FGT92D-1 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "DDNSTunnel"
set interface "wan1"
set peertype any
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.109.16.191
set psksecret ENC yxUcniVi6XlblM2RBMCUzj1irhXA2splS1AZRSVWbBythiLSfXR/9ukoWCTiM5tPY9mhHXS5l80v2aNtk/3iaLh6d9AFTAsyu2X72OIlMHG4cGErGXBzDwmX2Tdtm1WzDCenLcfh+Qx50dfTzeryNgClUkSEWKakaoCi7JB/W9VYd1SfbcIGkeNxTGCaEhBmLNEJrQ==
next
end
 
#FGT92D-1 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "DDNSTunnel"
set phase1name "DDNSTunnel"
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
Next
End

#FGT92D-1 #
config system interface
edit "DDNSTunnel"
set vdom "root"
set ip 169.254.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.1.1 255.255.255.255
set snmp-index 7
set interface "wan1"
next
end


#FGT1 config (with SDWAN)
Ipsec config:
FG3H0E5818903514 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "DDNSTunnel"
set type ddns
set interface "port1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set remotegw-ddns "labfrance.fortiddns.com"
set psksecret ENC 2E7LCLu3XalDCW6I9/23ASdbMu2Wt40vFiDiXsiobWO6Yak2V0kLBsGqu2xap8l66CBCC048WeqJn7iXxxQAqWPCidfay5jMmrG2zfhh0+cNS8spDXBSGGavMhZX8okLTGuh8or27q/b064WEgaNlh+iaeteVSy/SKr5hWr3zX4Ucg4REYlWkQr+BQ2olNJXUiXvAg==
next
config vpn ipsec phase2-interface
edit "DDNSTunnel"
set phase1name "DDNSTunnel"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
next

FG3H0E5818****** # show system interface DDNSTunnel
config system interface
edit "DDNSTunnel"
set vdom "root"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type tunnel
set snmp-index 39
set interface "port1"
next
end

#FG3H0E5818****** # show system virtual-wan-link
config system virtual-wan-link
set status enable
config members
edit 1
set interface "port1"
set gateway 10.109.31.254
next
edit 2
set interface "DDNSTunnel"
next
end
config health-check
edit "Ping"
set server "8.8.8.8"
set members 1
next
end
end

#FG3H0E5818****** # show router static 1
config router static
edit 1
set distance 1
set virtual-wan-link enable
next
end

Now verifying of the setup (from FGT1 perspective).
SD-WAN is configured, 2 default routes are expected in routing-table – one via port1 and one via DDNS Tunnel ipsec tunnel.
However, it is not in routing-table or database:

#FG3H0E5818****** # get router info routing-table all

Routing table for VRF=0

Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S*      0.0.0.0/0 [1/0] via 10.109.31.254, port1
C       3.3.3.3/32 is directly connected, Loopback
S       8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S       10.5.22.99/32 [10/0] is directly connected, ipsec
O       10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:10:39
C       10.109.16.0/20 is directly connected, port1
C       10.255.255.1/32 is directly connected, Gretunnel
C       10.255.255.2/32 is directly connected, Gretunnel
C       192.168.1.0/24 is directly connected, mgmt

#FG3H0E5818****** # get router info routing-table database
Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [1/0] via 10.109.31.254, port1
S 0.0.0.0/0 [254/0] is a summary, Null <<< Blackhole route created by wizard.
C *> 3.3.3.3/32 is directly connected, Loopback
S *> 8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S *> 10.5.22.99/32 [10/0] is directly connected, ipsec
O *> 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.109.16.0/20 is directly connected, port1
C *> 10.255.255.1/32 is directly connected, Gretunnel
O 10.255.255.2/32 [110/100] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.255.255.2/32 is directly connected, Gretunnel
C *> 192.168.1.0/24 is directly connected, mgmt

SDWAN member details:
FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, priority: 0, weight: 0

Solution:
Add IP overlay on tunnel interface.
FG3H0E5818****** # show system interface DDNSTunnel
config system interface
edit "DDNSTunnel"

#set vdom "root"
set ip 169.254.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.1.2 255.255.255.255
set snmp-index 39
set interface "port1"
next
end

#FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, gateway: 169.254.1.2, priority: 0, weight: 0

#FG3H0E5818****** # get router info routing-table all

Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S*0.0.0.0/0 [1/0] via 169.254.1.2, DDNSTunnel <<< route is there
[1/0] via 10.109.31.254, port1
C 3.3.3.3/32 is directly connected, Loopback
S 8.8.4.4/32 [10/0] via 169.254.1.2, DDNSTunnel
S 10.5.22.99/32 [10/0] is directly connected, ipsec
O 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:15:20
C 10.109.16.0/20 is directly connected, port1
C 10.255.255.1/32 is directly connected, Gretunnel
C 10.255.255.2/32 is directly connected, Gretunnel
C 169.254.1.1/32 is directly connected, DDNSTunnel
C 169.254.1.2/32 is directly connected, DDNSTunnel
C 192.168.1.0/24 is directly connected, mgmt

Labels:
7817
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.