Description
In scenario below, Spoke has primary and backup IPsec tunnels to the Hub.
Normally IPsec DPD can detect path connectivity and trigger failover to the backup IPsec tunnel.
But since DPD use ISAKMP packet which is on UDP port 500.
If ESP (IP protocol port 50) is somehow blocked along the path, it cannot be detected.
In such case, 'link-monitor' can be configured to regularly ping a client IP behind the remote tunnel and detect data path (ESP, IP protocol port 50) connectivity issue.
Solution
Spoke FGT B.
Configure a loopback interface to be used as source IP for the ping in 'link-monitor'.
The source IP can be any IP in the FGT. This is just an example.
A loopback IP has the benefit that it will not go down like a physical port.
In scenario below, Spoke has primary and backup IPsec tunnels to the Hub.
Normally IPsec DPD can detect path connectivity and trigger failover to the backup IPsec tunnel.
But since DPD use ISAKMP packet which is on UDP port 500.
If ESP (IP protocol port 50) is somehow blocked along the path, it cannot be detected.
In such case, 'link-monitor' can be configured to regularly ping a client IP behind the remote tunnel and detect data path (ESP, IP protocol port 50) connectivity issue.
Solution
Spoke FGT B.
Configure a loopback interface to be used as source IP for the ping in 'link-monitor'.
The source IP can be any IP in the FGT. This is just an example.
A loopback IP has the benefit that it will not go down like a physical port.
# config system interfaceConfigure IPsec Phase2 of the primary tunnel to advertise the source IP 9.9.9.1 to Hub in its Phase 2 SA.
edit "Test_Loopback1"
set vdom "root"
set ip 9.9.9.1 255.255.255.255
set allowaccess ping
set type loopback
next
# config vpn ipsec phase2-interfaceConfigure 'link-monitor' to ping a remote client side IP behind the IPsec tunnel using the loopback IP above as source.
edit "To_hub_Loopback"
set phase1name "To_hub1"
set proposal des-sha1
set auto-negotiate enable
set src-subnet 9.9.9.1 255.255.255.255
next
# config system link-monitorIn the backup tunnel (e.g. 'To_hub2' in example below), 'monitor hold down' should be configured to prevent the backup from switching back to the primary immediately. 'hold-down-delay' should be configured (e.g. 20 seconds in example below) to wait until 'link-monitor' has verified the path is good before switching back to the primary.
edit "test-IPsec-path"
set srcintf "To_hub1" <----- Phase1 name of the tunnel to be monitored.
set server "20.20.20.102" <----- Some-ip-on-the-other-side-of-the-tunnel.
set source-ip 9.9.9.1 <----- Some-local-ip-as source.
next
end
# config vpn ipsec phase1-interfaceWhen 'link-monitor' detects the path is down, logging will show such event.
edit "To_hub1"
set interface "wan1"
set mode aggressive
set peertype any
set net-device enable
set proposal des-sha1
set localid "spoketest1"
set dpd on-idle
set dhgrp 2
set remote-gw 10.21.21.21
set psksecret ENC xxxxx
next
edit "To_hub2"
set interface "wan2"
set mode aggressive
set peertype any
set monitor-hold-down-type delay
set monitor-hold-down-delay 20
set net-device enable
set proposal des-sha1
set localid "spoketest1"
set dpd on-idle
set dhgrp 2
set remote-gw 10.21.21.21
set monitor "To_Hub2"
set psksecret ENC xxxx
next
Command '# diagnose sys link-monitor status' can be used to check status of 'link-monitor'.
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/286620/vpn-ipsec-phase1-interface
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/101620/system-link-monitor
FGTB # diagnose sys link-monitor statusRelated documents.
Link Monitor: test-IPsec-path, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jul 29 16:23:39 2021
Source interface: To_Hub1 (18)
Source IP: 9.9.9.1
Interval: 500 ms
Peer: 20.20.20.102(20.20.20.102)
Source IP(9.9.9.1)
Route: 9.9.9.1->20.20.20.102/32, gwy(0.0.0.0)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.678/1.762/0.791 ms
Jitter(Min/Max/Avg): 0.003/0.319/0.103
Packet lost: 24.000%
Number of out-of-sequence packets: 1846
Fail Times(0/5)
Packet sent: 135276, received: 5964, Sequence(sent/rcvd/exp): 4205/4205/17445
FGTB # diagnose sys link-monitor status
Link Monitor: test-IPsec-path, Status: die, Server num(1), Flags=0x9 init, Create time: Thu Jul 29 16:23:39 2021
Source interface: To_Hub1 (18)
Source IP: 9.9.9.1
Interval: 500 ms
Peer: 20.20.20.102(20.20.20.102)
Source IP(9.9.9.1)
Route: 9.9.9.1->20.20.20.102/32, gwy(0.0.0.0)
protocol: ping, state: die
Packet lost: 100.000%
Number of out-of-sequence packets: 3459
Recovery times(0/5) Fail Times(4/5)
Packet sent: 139444, received: 7577, Sequence(sent/rcvd/exp): 8373/5818/17445
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/286620/vpn-ipsec-phase1-interface
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/101620/system-link-monitor
Related Articles
