FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akristof
Staff
Staff
Article Id 190773

Description

 
This article describes how to have IPsec tunnel to be part of the SD-WAN, with the tunnel in type ddns (as remote site does not have static IP address and using ddns feature).
 
Scope
 
FortiGate.


Solution

 

This article is focused on problems with an SD-WAN static route where the DDNS tunnel type is part of the SD-WAN.

FGT1 (10.109.16.191, port1) -------- < internet > --------- (labfrance.fortiddns.com, wan1) FGT2

FGT1 has static IP.
FGT2 doesn’t have static IP, so it is using DDNS feature.

FGT2 config:

#FGT92D-1 # show system ddns
config system ddns

    edit 1
        set ddns-server FortiGuardDDNS
        set ddns-domain "labfrance.fortiddns.com"
        set monitor-interface "wan1"
    next
end

#FGT92D-1 # show vpn ipsec phase1-interface

config vpn ipsec phase1-interface
    edit "DDNSTunnel"
        set interface "wan1"
        set peertype any
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 10.109.16.191
        set psksecret ENC

yxUcniVi6XlblM2RBMCUzj1irhXA2splS1AZRSVWbBythiLSfXR/9ukoWCTiM5tPY9mhHXS5l80v2aNtk/3iaLh6d9AFTAsyu2X72OIlMHG4cGErGXBzDwmX2Tdtm1WzDCenLcfh+Qx50dfTzeryNgClUkSEWKakaoCi7JB/W9VYd1SfbcIGkeNxTGCaEhBmLNEJrQ==

    next
end
 
#FGT92D-1 # show vpn ipsec phase2-interface

config vpn ipsec phase2-interface

    edit "DDNSTunnel"

        set phase1name "DDNSTunnel"
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
        set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
    next
end

#FGT92D-1 #
config system interface

    edit "DDNSTunnel"
        set vdom "root"
        set ip 169.254.1.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 169.254.1.1 255.255.255.255
        set snmp-index 7
        set interface "wan1"
    next
end


#FGT1 config (with SDWAN)
IPsec config:
FG3H0E5818903514 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "DDNSTunnel"
        set type ddns
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set remotegw-ddns "labfrance.fortiddns.com"
        set psksecret ENC 2E7LCLu3XalDCW6I9/23ASdbMu2Wt40vFiDiXsiobWO6Yak2V0kLBsGqu2xap8l66CBCC048WeqJn7iXxxQAqWPCidfay5jMmrG2zfhh0+cNS8spDXBSGGavMhZX8okLTGuh8or27q/b064WEgaNlh+iaeteVSy/SKr5hWr3zX4Ucg4REYlWkQr+BQ2olNJXUiXvAg==

    next
config vpn ipsec phase2-interface
    edit "DDNSTunnel"
        set phase1name "DDNSTunnel"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: DDNSTunnel (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
        set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
    next

FG3H0E5818****** # show system interface DDNSTunnel
config system interface
    edit "DDNSTunnel"
        set vdom "root"
        set ip 0.0.0.0 255.255.255.255
        set allowaccess ping
        set type tunnel
        set snmp-index 39
        set interface "port1"
    next
end

#FG3H0E5818****** # show system virtual-wan-link
config system virtual-wan-link
    set status enable
        config members
            edit 1
                set interface "port1"
                set gateway 10.109.31.254
            next
            edit 2
                set interface "DDNSTunnel"
            next
        end
        config health-check
            edit "Ping"
                set server "8.8.8.8"
                set members 1
            next
    end
end

#FG3H0E5818****** # show router static 1
config router static
    edit 1
        set distance 1
        set virtual-wan-link enable
    next
end

Now, verifying the setup (from an FGT1 perspective):
SD-WAN is configured, 2 default routes are expected in routing-table – one via port1 and one via DDNS Tunnel IPsec tunnel.
However, it is not in routing-table or database:


#FG3H0E5818****** # get router info routing-table all

Routing table for VRF=0

Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S*      0.0.0.0/0 [1/0] via 10.109.31.254, port1
C       3.3.3.3/32 is directly connected, Loopback
S       8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S       10.5.22.99/32 [10/0] is directly connected, ipsec
O       10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:10:39
C       10.109.16.0/20 is directly connected, port1
C       10.255.255.1/32 is directly connected, Gretunnel
C       10.255.255.2/32 is directly connected, Gretunnel
C       192.168.1.0/24 is directly connected, mgmt

#FG3H0E5818****** # get router info routing-table database

Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [1/0] via 10.109.31.254, port1
S 0.0.0.0/0 [254/0] is a summary, Null <<< Blackhole route created by wizard.
C *> 3.3.3.3/32 is directly connected, Loopback
S *> 8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S *> 10.5.22.99/32 [10/0] is directly connected, ipsec
O *> 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.109.16.0/20 is directly connected, port1
C *> 10.255.255.1/32 is directly connected, Gretunnel
O 10.255.255.2/32 [110/100] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.255.255.2/32 is directly connected, Gretunnel
C *> 192.168.1.0/24 is directly connected, mgmt

SD-WAN member details:

 

FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, priority: 0, weight: 0

Solution:

 

Add an IP overlay on the tunnel interface.


FG3H0E5818****** # show system interface DDNSTunnel
config system interface
    edit "DDNSTunnel"


           set vdom "root"
            set ip 169.254.1.1 255.255.255.255
            set allowaccess ping
            set type tunnel
            set remote-ip 169.254.1.2 255.255.255.255
            set snmp-index 39
            set interface "port1"
        next
    end

#FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, gateway: 169.254.1.2, priority: 0, weight: 0

#FG3H0E5818****** # get router info routing-table all


Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S*0.0.0.0/0 [1/0] via 169.254.1.2, DDNSTunnel
<- The route is here.
[1/0] via 10.109.31.254, port1
C 3.3.3.3/32 is directly connected, Loopback
S 8.8.4.4/32 [10/0] via 169.254.1.2, DDNSTunnel
S 10.5.22.99/32 [10/0] is directly connected, ipsec
O 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:15:20
C 10.109.16.0/20 is directly connected, port1
C 10.255.255.1/32 is directly connected, Gretunnel
C 10.255.255.2/32 is directly connected, Gretunnel
C 169.254.1.1/32 is directly connected, DDNSTunnel
C 169.254.1.2/32 is directly connected, DDNSTunnel
C 192.168.1.0/24 is directly connected, mgmt


Related articles: