Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortDoog
New Contributor III

AWS IPSEC on BGP routing (how to control traffic preference for each tunnel?)

Good day guys.

I have the following setup.

  • 200F with dual WAN
  • 4 tunnels to AWS (the usual IPSEC with 2 tunnels).
  • Probably, next year, hopefully, I will have AWS Direct Connect.

Let´s begin with the IPSEC tunnels first:

I´m having issues with the ECMP on the AWS TGW, what I need is just failover between the tunnels, but I want to setup the priority in which they are used under normal conditions, like in the following graph:

 

AWS issue.jpg

 

I want to influence the traffic (inbound and outbound) so it has the Tunnels in this order of preference:

 

  1. Main_Tunnel01
  2. Main_Tunnel02
  3. Secondary_Tunnel01
  4. Secondary_Tunnel02

Or

  1. Main IPSEC
  2. Secondary IPSEC

Right now, what I´m having (with ECMP disabled) is that I´m loosing traffic partially if I lose a Tunnel. If I enable ECMP, I get traffic through all the tunnels, and I do not want that.

 

I found the Technical Tip : Difference between asymmetric routing and auxiliary sessions., I will testing that also, but right now I´m confussed with this AWS documentation: 

 

IF I understood correctly the AWS docs, I should use:

  • Outbound traffic: Local Preference, if not, then I should use AS_Path
  • Inbound traffic: Local Preference, if not, MED, if not, then I should use AS_Path

Meaning that I would need two sets of route maps (right?) they would identical in prefix list (my case), but they will differ regarding the Local Preference, MED and AS_Path.

 

My questions are:

  • do I need to setup Local Preference, MED and AS_Path for AWS IPSEC routing inffluencing (all of them, meaning more route maps)?
  • or can I use just one of them? meaning, just two route maps, one with more influence than the other,
  • if so, which one should I use (Local Preference, MED or AS_Path)???

 

Keep in mind that I have to leave the space for the future implementation of the Direct Connect, so, whatever I use, I have to leave it so that in case that the Direct Connect fails, the failover SHOULD be Main IPSEC, if the Main IPSEC fails too, then Secondary IPSEC.

 

Please, I need guidance, oh Wise People of the Community, Help. (FWI: english is my second language, that´s why I´m getting a little confused, sorry about that).

"Well, hello there"
"Well, hello there"
1 Solution
BillH_FTNT
Staff
Staff

Hi, I share something about BGP over IPSec from On-prem to Cloud.
- Support that you use only one VDOM. And in each Tunnel, you have a BPP session. then
1. If you want to influence traffic from AWS back to you through the Tunnel you want, you should use BGP AS-Path. You can use ROute-map to Append more AS into the AS path list and advertise through BGP neighbor. Neighbors with less AS number in the AS Path list will be used to send traffic back to you.
2. For traffic from Fortinet to AWS , the easy way to do is Local preference.

Brs/Bill

View solution in original post

26 REPLIES 26
BillH_FTNT

 

Hi FortDoog,
I think what you planned to do with BGP prefixes was right. However, to work with the prefix list, I believe you should change it slightly.
I think the common rule for prefix-list is "len <GE <=LE"
In your case the prefix you configured a.b.c.d 255.224.0.0 ==> the len is 8+7 =15 (225 use 8 bits, 224 use 7 bits)
==> It should be "ge 15"
1. you can do "ge 15" only.
2. or ge 15 le 25
(In your first case, ge 11 is an invalid one, I think)
HTH
Bill

FortDoog
New Contributor III

any news? anyone?

"Well, hello there"
"Well, hello there"
BillH_FTNT

Sorry, I will answer you in next some hours. Quite busy now. Thanks

RG/Bill

FortDoog
New Contributor III

I can wait, no problem.

"Well, hello there"
"Well, hello there"
Toshi_Esumi
SuperUser
SuperUser

I'm not sure if I understand your requirement. But the prefix-list matches what you specify and let matched ones come in (or go out) and take them into BGP table (or send them to neighbors) "as is". It wouldn't summarize to /16 when a /27 matches the prefix-list and place the /16 into the local BGP table.

If you, instead, want to summarize routes when the FGT advertise, like multile /24s into one /16, to its neighbors, you can use "aggregation" below.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-implement-BGP-route-summary-aggrega...

But I don't know if AWS side support route aggretation on its end. You can probably ask AWS support if they support or not. My guess is they would support though.

Toshi

FortDoog
New Contributor III

Good day Toshi.

No, no, I don´t the device to summarize. What I want is for the firewall to accept those subnets that are /16, but using the prefix filter set in /11 (roughly speaking).

 

What I assumed, is that if I set the prefix list-in to /11 for certain subnet, it will accept ALL that is enclosed by the /11 subnet, meaning the /16, by setting the ge to 11.

But from what I saw, the prefix filter does not work like that. So I wanted to know how to do this correctly.

"Well, hello there"
"Well, hello there"
Toshi_Esumi

Then try this:
config router prefix-list
  edit "AWS-slash16s"
    config rule
      edit 1
        set prefix 10.160.0.0 255.248.0.0
        set ge 16
        set le 16
      next
      edit 2
        set prefix 10.64.0.0 255.240.0.0
        set ge 16
        set le 16
      next
    end
  next
end

Toshi

FortDoog
New Contributor III

Thanks Toshi.

 

But, as I was telling Bill. I would like to have the ge set to 16, but not the le. To allow for prefixes higer than 16.

 

But then now I have a doubt.

Why I cannot use a prefix list in like this:

 

set prefix 10.160.0.0 255.224.0.0

set ge 11

 

Why the filter does not allow the /16 to be accepted?

 

"Well, hello there"
"Well, hello there"
BillH_FTNT

Yeah, that is seem invalid one. ge 11 is invalid. Should be ge 15

 

BillH_FTNT
Staff
Staff

Hi,

Hi FortDoog,
I think what you planned to do with BGP prefixes was right. However, to work with the prefix list, I believe you should change it slightly.
I think the common rule for prefix-list is "len <GE <=LE"
In your case the prefix you configured a.b.c.d 255.224.0.0 ==> the len is 8+7 =15 (225 use 8 bits, 224 use 7 bits)
==> It should be "ge 15"
1. you can do "ge 15" only.
2. or ge 15 le 25
(In your first case, ge 11 is an invalid one, I think)
HTH
Bill

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors