Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortDoog
New Contributor III

AWS IPSEC on BGP routing (how to control traffic preference for each tunnel?)

Good day guys.

I have the following setup.

  • 200F with dual WAN
  • 4 tunnels to AWS (the usual IPSEC with 2 tunnels).
  • Probably, next year, hopefully, I will have AWS Direct Connect.

Let´s begin with the IPSEC tunnels first:

I´m having issues with the ECMP on the AWS TGW, what I need is just failover between the tunnels, but I want to setup the priority in which they are used under normal conditions, like in the following graph:

 

AWS issue.jpg

 

I want to influence the traffic (inbound and outbound) so it has the Tunnels in this order of preference:

 

  1. Main_Tunnel01
  2. Main_Tunnel02
  3. Secondary_Tunnel01
  4. Secondary_Tunnel02

Or

  1. Main IPSEC
  2. Secondary IPSEC

Right now, what I´m having (with ECMP disabled) is that I´m loosing traffic partially if I lose a Tunnel. If I enable ECMP, I get traffic through all the tunnels, and I do not want that.

 

I found the Technical Tip : Difference between asymmetric routing and auxiliary sessions., I will testing that also, but right now I´m confussed with this AWS documentation: 

 

IF I understood correctly the AWS docs, I should use:

  • Outbound traffic: Local Preference, if not, then I should use AS_Path
  • Inbound traffic: Local Preference, if not, MED, if not, then I should use AS_Path

Meaning that I would need two sets of route maps (right?) they would identical in prefix list (my case), but they will differ regarding the Local Preference, MED and AS_Path.

 

My questions are:

  • do I need to setup Local Preference, MED and AS_Path for AWS IPSEC routing inffluencing (all of them, meaning more route maps)?
  • or can I use just one of them? meaning, just two route maps, one with more influence than the other,
  • if so, which one should I use (Local Preference, MED or AS_Path)???

 

Keep in mind that I have to leave the space for the future implementation of the Direct Connect, so, whatever I use, I have to leave it so that in case that the Direct Connect fails, the failover SHOULD be Main IPSEC, if the Main IPSEC fails too, then Secondary IPSEC.

 

Please, I need guidance, oh Wise People of the Community, Help. (FWI: english is my second language, that´s why I´m getting a little confused, sorry about that).

"Well, hello there"
"Well, hello there"
1 Solution
BillH_FTNT
Staff
Staff

Hi, I share something about BGP over IPSec from On-prem to Cloud.
- Support that you use only one VDOM. And in each Tunnel, you have a BPP session. then
1. If you want to influence traffic from AWS back to you through the Tunnel you want, you should use BGP AS-Path. You can use ROute-map to Append more AS into the AS path list and advertise through BGP neighbor. Neighbors with less AS number in the AS Path list will be used to send traffic back to you.
2. For traffic from Fortinet to AWS , the easy way to do is Local preference.

Brs/Bill

View solution in original post

26 REPLIES 26
FortDoog
New Contributor III

If I understood correctly, the subnet mask should match the filter ge then? (remember, simple terms, since this is all in english)

"Well, hello there"
"Well, hello there"
BillH_FTNT

 a.b.c.d 255.224.0.0

=> Subnet mask len is 15

So, the "ge" must be greater 15. 

 

Toshi_Esumi
SuperUser
SuperUser

ge and le length need to be longer than the network length. The error message says it all

FGTxxxxx1 (1) # next
Invalid prefix range -- make sure: len < ge-value <= le-valueobject check operator error, -650, discard the setting
Command fail. Return code 1

I think this is common with other routers like Cisco. Or FTNT copied this spec from Cisco.

Toshi

FortDoog
New Contributor III

Ok, now I understand.

 

For posterity or anyone reading this. The filters (ge and or le) MUST be different than the subnet you are trying to filter.

 

Like Bill and Toshi said:

 

  • set prefix a.b.c.d /20 for example.

The ge would NOT be 20, neither le.

It has to be:

  • in case of ge, 19. So it will take all network greater than 19, those will be, 20, 21, and so on.
  • Or the reverse of it,  in case of le, 21. Is kinda like a math equation.
"Well, hello there"
"Well, hello there"
Toshi_Esumi

I think 19 and 20 is prohibited if the network length is /20. Otherwise the error message the system gave me is wrong. Did you test and confirm as the fact?

 

Toshi

FortDoog
New Contributor III

That´s the thing, it did NOT give me an error. Now, there is one big thing I believe I did not point out, and it was critital to say: the firmware is 6.x.x. (I don´t recall the exact number right now). So most probably, the whole problem was due an old forgotten bug probably. and most most probably corrected in newer versions.

 

I know, you will ask why in 2024 we are running a 200F firewall on 6.x.x firmware... ask my management about that... I decided just to do my best with what I got / what I am allowed to do.

"Well, hello there"
"Well, hello there"
BillH_FTNT

@FortDoog You should upgrade to a new one such as 7.0.13 or 7.2.6 

I think they are better

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors