- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aggregate dial-up IPsec tunnel
Hello, I'm testing a configuration using aggregate dial-up IPsec but I'm having trouble getting it to work. The thing is that in the IPsec Tunnels configuration the aggregate "Test" shows up in green,
but when I create the static route in Network -> Static Routes it shows the aggregate "Test" as down in red.
Did I miss something in the configuration that most be done to work?
If I change the VPNs to IPsec site to site not dialup the aggerate shows up (green) in static routes.
Can't use SDWAN because I used up all 512 members already.
Fortigates have Firmware 7.0.15
Thanks for any help you can provide!
Solved! Go to Solution.
- Labels:
-
FortiGate
Created on 06-03-2024 11:37 PM Edited on 06-03-2024 11:39 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.
But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.
So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server
Instead, I added a static route on both side like below:
<client side>
config router static
edit 0
set dst 192.168.150.0 255.255.255.0 <- server side subnet
set device "agg_tun"
next
end
and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.
So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.
At least I found one way to make it work. So you can try the same.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you have in below CLI command output on both ends?
FortiGate-xxx # get vpn ipsec tun sum 'tun1' 172.16.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 562/0 tx(pkt,err): 85/3 'tun2' 172.16.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 37/0 tx(pkt,err): 529/0
FortiGate-xxx # diag sys ipsec-aggregate list agg_tun algo=REDUNDANT member=2 run_tally=2 members: tun1 tun2
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Toshi_Esumi sorry for the late response, here is the output, from the HUB side I don't have problemas the static route appears up (green)
HUB-40F # get vpn ipsec tun sum
'P1' 10.10.10.2:0 selectors(total,up): 1/1 rx(pkt,err): 2650/0 tx(pkt,err): 2999/2
'P2' 20.20.20.2:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0
HUB-40F # diag sys ipsec-aggregate list
list all ipsec bundle in Test1 num_bun=1
------------------------------------------------------
1: vf=0 bundle=Test1 algo=REDUNDANT member=2
members:
tunnel=P1 weight=1
tunnel=P2 weight=1
----------------------------------------------------------------------------------------------------------------
SERVER-40F # get vpn ipsec tun sum
'P1_0' 10.10.10.1:0 selectors(total,up): 1/1 rx(pkt,err): 1803/0 tx(pkt,err): 4226/0
'P2_0' 20.20.20.1:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0
SERVER-40F # diag sys ipsec-aggregate list
list all ipsec bundle in Test num_bun=2
------------------------------------------------------
vf=0 bundle=Test_1.1.1.1 algo=REDUNDANT member=2
members:
tunnel=P1_0 weight=1
tunnel=P2_0 weight=1
------------------------------------------------------
vf=0 bundle=Test algo=REDUNDANT member=0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then, I don't see any reason you can't set up a static route. First, can you ping each other when you set the tunnel interface IP on both sides? It's /32s injected into routing table when you configure like below. So you don't need to set up routes manually.
config system interface edit "agg_tun" set vdom "root" set ip 10.x.x.254 255.255.255.255 set allowaccess ping https ssh set type tunnel set remote-ip 10.x.x.253 255.255.255.255 next end
And your static route wouldn't show up in your routing table? "get router info routing-table static"
What is your version? It started from 6.2 but I don't think the config/behavior has changed.
Toshi
Created on 06-03-2024 10:49 AM Edited on 06-03-2024 10:49 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or your route is already injected into the table as @AEK is saying based on phase2-interface network selector config. Not sure how it would work for two duplicated network selectors though for two tunnels. I regularly disable it by "set add-route disable" so I don't know the behavior about it.
Do you see it in routing-table "get router info routing-table all"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried with automatic route but is the same problem, its shows down in routing table
Created on 06-03-2024 11:37 PM Edited on 06-03-2024 11:39 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.
But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.
So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server
Instead, I added a static route on both side like below:
<client side>
config router static
edit 0
set dst 192.168.150.0 255.255.255.0 <- server side subnet
set device "agg_tun"
next
end
and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.
So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.
At least I found one way to make it work. So you can try the same.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Toshi_Esumi one more question, in the server side of your configuration does the static route detectes the aggregation as UP in green?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With my 7.2.8 GUI, it's in red as in your Routing Monitor view. This might be a bug or a limitation when you use dialup/dynamic IPsec. But it's working because my pinging through the tunnel drops once I disabled the static route. I think that's all that matters.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
In this case does it make sense to manually add static route?