Description
Solution
This article is focused on problems with an SD-WAN static route where the DDNS tunnel type is part of the SD-WAN.
FGT1 (10.109.16.191, port1) -------- < internet > --------- (labfrance.fortiddns.com, wan1) FGT2
FGT1 has static IP.
FGT2 doesn’t have static IP, so it is using DDNS feature.
FGT2 config:
#FGT92D-1 # show system ddns
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "labfrance.fortiddns.com"
set monitor-interface "wan1"
next
end
#FGT92D-1 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "DDNSTunnel"
set interface "wan1"
set peertype any
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.109.16.191
set psksecret ENC
yxUcniVi6XlblM2RBMCUzj1irhXA2splS1AZRSVWbBythiLSfXR/9ukoWCTiM5tPY9mhHXS5l80v2aNtk/3iaLh6d9AFTAsyu2X72OIlMHG4cGErGXBzDwmX2Tdtm1WzDCenLcfh+Qx50dfTzeryNgClUkSEWKakaoCi7JB/W9VYd1SfbcIGkeNxTGCaEhBmLNEJrQ==
next
end
#FGT92D-1 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "DDNSTunnel"
set phase1name "DDNSTunnel"
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
next
end
#FGT92D-1 #
config system interface
edit "DDNSTunnel"
set vdom "root"
set ip 169.254.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.1.1 255.255.255.255
set snmp-index 7
set interface "wan1"
next
end
#FGT1 config (with SDWAN)
IPsec config:
FG3H0E5818903514 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "DDNSTunnel"
set type ddns
set interface "port1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set remotegw-ddns "labfrance.fortiddns.com"
set psksecret ENC 2E7LCLu3XalDCW6I9/23ASdbMu2Wt40vFiDiXsiobWO6Yak2V0kLBsGqu2xap8l66CBCC048WeqJn7iXxxQAqWPCidfay5jMmrG2zfhh0+cNS8spDXBSGGavMhZX8okLTGuh8or27q/b064WEgaNlh+iaeteVSy/SKr5hWr3zX4Ucg4REYlWkQr+BQ2olNJXUiXvAg==
next
config vpn ipsec phase2-interface
edit "DDNSTunnel"
set phase1name "DDNSTunnel"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: DDNSTunnel (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "DDNSTunnel_local" <<< selectors are 0.0.0.0/0.0.0.0
set dst-name "DDNSTunnel_remote" <<< selectors are 0.0.0.0/0.0.0.0
next
FG3H0E5818****** # show system interface DDNSTunnel
config system interface
edit "DDNSTunnel"
set vdom "root"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type tunnel
set snmp-index 39
set interface "port1"
next
end
#FG3H0E5818****** # show system virtual-wan-link
config system virtual-wan-link
set status enable
config members
edit 1
set interface "port1"
set gateway 10.109.31.254
next
edit 2
set interface "DDNSTunnel"
next
end
config health-check
edit "Ping"
set server "8.8.8.8"
set members 1
next
end
end
#FG3H0E5818****** # show router static 1
config router static
edit 1
set distance 1
set virtual-wan-link enable
next
end
Now, verifying the setup (from an FGT1 perspective):
SD-WAN is configured, 2 default routes are expected in routing-table – one via port1 and one via DDNS Tunnel IPsec tunnel.
However, it is not in routing-table or database:
#FG3H0E5818****** # get router info routing-table all
Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 10.109.31.254, port1
C 3.3.3.3/32 is directly connected, Loopback
S 8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S 10.5.22.99/32 [10/0] is directly connected, ipsec
O 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:10:39
C 10.109.16.0/20 is directly connected, port1
C 10.255.255.1/32 is directly connected, Gretunnel
C 10.255.255.2/32 is directly connected, Gretunnel
C 192.168.1.0/24 is directly connected, mgmt
#FG3H0E5818****** # get router info routing-table database
Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [1/0] via 10.109.31.254, port1
S 0.0.0.0/0 [254/0] is a summary, Null <<< Blackhole route created by wizard.
C *> 3.3.3.3/32 is directly connected, Loopback
S *> 8.8.4.4/32 [10/0] is directly connected, DDNSTunnel
S *> 10.5.22.99/32 [10/0] is directly connected, ipsec
O *> 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.109.16.0/20 is directly connected, port1
C *> 10.255.255.1/32 is directly connected, Gretunnel
O 10.255.255.2/32 [110/100] via 10.255.255.2, Gretunnel, 03:11:37
C *> 10.255.255.2/32 is directly connected, Gretunnel
C *> 192.168.1.0/24 is directly connected, mgmt
SD-WAN member details:
FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, priority: 0, weight: 0
Solution:
Add an IP overlay on the tunnel interface.
FG3H0E5818****** # show system interface DDNSTunnel
config system interface
edit "DDNSTunnel"
set vdom "root"
set ip 169.254.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.1.2 255.255.255.255
set snmp-index 39
set interface "port1"
next
end
#FG3H0E5818****** # diag sys virtual-wan-link member
Member(1): interface: port1, gateway: 10.109.31.254, priority: 0, weight: 0
Member(2): interface: DDNSTunnel, gateway: 169.254.1.2, priority: 0, weight: 0
#FG3H0E5818****** # get router info routing-table all
Routing table for VRF=0
Codes:
K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S*0.0.0.0/0 [1/0] via 169.254.1.2, DDNSTunnel <- The route is here.
[1/0] via 10.109.31.254, port1
C 3.3.3.3/32 is directly connected, Loopback
S 8.8.4.4/32 [10/0] via 169.254.1.2, DDNSTunnel
S 10.5.22.99/32 [10/0] is directly connected, ipsec
O 10.25.0.0/20 [110/101] via 10.255.255.2, Gretunnel, 03:15:20
C 10.109.16.0/20 is directly connected, port1
C 10.255.255.1/32 is directly connected, Gretunnel
C 10.255.255.2/32 is directly connected, Gretunnel
C 169.254.1.1/32 is directly connected, DDNSTunnel
C 169.254.1.2/32 is directly connected, DDNSTunnel
C 192.168.1.0/24 is directly connected, mgmt
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.