Technical Tip: SD-WAN with DDNS type IPsec

akristof · ‎07-26-2019

Description

This article describes how to have an IPsec tunnel to be part of the SD-WAN, with the tunnel in type ddns (as the remote site does not have a static IP address and uses the ddns feature).

Scope

FortiGate.

Solution

This article is focused on problems with an SD-WAN static route where the DDNS tunnel type is part of the SD-WAN.

FGT1 (10.109.16.191, port1) -------- < internet > --------- (labfrance.fortiddns.com, wan1) FGT2.

FGT1 has static IP.
FGT2 does not have static IP, so it is using DDNS feature.

FGT2 config:

FGT92D-1 # show system ddns
config system ddns

    edit 1
        set ddns-server FortiGuardDDNS
        set ddns-domain "labfrance.fortiddns.com"
        set monitor-interface "wan1"
    next
end

FGT92D-1 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "DDNSTunnel"
        set interface "wan1"
        set peertype any
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 10.109.16.191
        set psksecret ENC

yxUcniVi6XlblM2RBMCUzj1irhXA2splS1AZRSVWbBythiLSfXR/9ukoWCTiM5tPY9mhHXS5l80v2aNtk/3iaLh6d9AFTAsyu2X72OIlMHG4cGErGXBzDwmX2Tdtm1WzDCenLcfh+Qx50dfTzeryNgClUkSEWKakaoCi7JB/W9VYd1SfbcIGkeNxTGCaEhBmLNEJrQ==

next
end

FGT92D-1 # show vpn ipsec phase2-interface

config vpn ipsec phase2-interface

edit "DDNSTunnel"

        set phase1name "DDNSTunnel"
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
        set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
    next
end

FGT92D-1 #
config system interface

    edit "DDNSTunnel"
        set vdom "root"
        set ip 169.254.1.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 169.254.1.1 255.255.255.255
        set snmp-index 7
        set interface "wan1"
    next
end

#FGT1 config (with SDWAN)
IPsec config:
FG3H0E5818903514 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "DDNSTunnel"
        set type ddns
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set remotegw-ddns "labfrance.fortiddns.com"
        set psksecret ENC 2E7LCLu3XalDCW6I9/23ASdbMu2Wt40vFiDiXsiobWO6Yak2V0kLBsGqu2xap8l66CBCC048WeqJn7iXxxQAqWPCidfay5jMmrG2zfhh0+cNS8spDXBSGGavMhZX8okLTGuh8or27q/b064WEgaNlh+iaeteVSy/SKr5hWr3zX4Ucg4REYlWkQr+BQ2olNJXUiXvAg==

config vpn ipsec phase2-interface
    edit "DDNSTunnel"
        set phase1name "DDNSTunnel"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
        set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
    next
end
FG3H0E5818****** # show system interface DDNSTunnel
config system interface
    edit "DDNSTunnel"
        set vdom "root"
        set ip 0.0.0.0 255.255.255.255
        set allowaccess ping
        set type tunnel
        set snmp-index 39
        set interface "port1"
    next
end

FG3H0E5818****** # show system virtual-wan-link
config system virtual-wan-link
    set status enable
        config members
            edit 1
                set interface "port1"
                set gateway 10.109.31.254
            next
            edit 2
                set interface "DDNSTunnel"
            next
        end
        config health-check
            edit "Ping"
                set server "8.8.8.8"
                set members 1
            next
    end
end

FG3H0E5818****** # show router static 1
config router static
    edit 1
        set distance 1
        set virtual-wan-link enable
    next
end

Now, verifying the setup (from an FGT1 perspective):
SD-WAN is configured, 2 default routes are expected in routing-table – one via port1 and one via the DDNS Tunnel IPsec tunnel.
However, it is not in routing-table or the database:

#FG3H0E5818****** # get router info routing-table all

Routing table for VRF=0

Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S*      0.0.0.0/0 [1/0] via 10.109.31.254, port1
C       3.3.3.3/32 is directly connected, Loopback
S       8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S       10.5.22.99/32 [10/0] is directly connected, ipsec
O       10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:10:39
C       10.109.16.0/20 is directly connected, port1
C       10.255.255.1/32 is directly connected, Gretunnel
C       10.255.255.2/32 is directly connected, Gretunnel
C       192.168.1.0/24 is directly connected, mgmt

#FG3H0E5818****** # get router info routing-table database

Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [1/0] via 10.109.31.254, port1
S 0.0.0.0/0 [254/0] is a summary, Null <<< Blackhole route created by wizard.
C *> 3.3.3.3/32 is directly connected, Loopback
S *> 8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S *> 10.5.22.99/32 [10/0] is directly connected, ipsec
O *> 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.109.16.0/20 is directly connected, port1
C *> 10.255.255.1/32 is directly connected, Gretunnel
O 10.255.255.2/32 [110/100] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.255.255.2/32 is directly connected, Gretunnel
C *> 192.168.1.0/24 is directly connected, mgmt

SD-WAN member details:

FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, priority: 0, weight: 0

Solution:

Add an IP overlay on the tunnel interface.

FG3H0E5818****** # show system interface DDNSTunnel
config system interface
edit "DDNSTunnel"

set vdom "root"
set ip 169.254.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.1.2 255.255.255.255
set snmp-index 39
set interface "port1"
next
end

#FG3H0E5818****** # diagnose sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, gateway: 169.254.1.2, priority: 0, weight: 0

#FG3H0E5818****** # get router info routing-table all

Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S*0.0.0.0/0 [1/0] via 169.254.1.2, DDNSTunnel <- The route is here.
[1/0] via 10.109.31.254, port1
C 3.3.3.3/32 is directly connected, Loopback
S 8.8.4.4/32 [10/0] via 169.254.1.2, DDNSTunnel
S 10.5.22.99/32 [10/0] is directly connected, ipsec
O 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:15:20
C 10.109.16.0/20 is directly connected, port1
C 10.255.255.1/32 is directly connected, Gretunnel
C 10.255.255.2/32 is directly connected, Gretunnel
C 169.254.1.1/32 is directly connected, DDNSTunnel
C 169.254.1.2/32 is directly connected, DDNSTunnel
C 192.168.1.0/24 is directly connected, mgmt

Related articles:

Technical Tip: SD-WAN with DDNS type IPsec

You are leaving our website