Hello, I'm testing a configuration using aggregate dial-up IPsec but I'm having trouble getting it to work. The thing is that in the IPsec Tunnels configuration the aggregate "Test" shows up in green,
but when I create the static route in Network -> Static Routes it shows the aggregate "Test" as down in red.
Did I miss something in the configuration that most be done to work?
If I change the VPNs to IPsec site to site not dialup the aggerate shows up (green) in static routes.
Can't use SDWAN because I used up all 512 members already.
Fortigates have Firmware 7.0.15
Thanks for any help you can provide!
Solved! Go to Solution.
Created on 06-03-2024 11:37 PM Edited on 06-03-2024 11:39 PM
I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.
But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.
So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server
Instead, I added a static route on both side like below:
<client side>
config router static
edit 0
set dst 192.168.150.0 255.255.255.0 <- server side subnet
set device "agg_tun"
next
end
and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.
So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.
At least I found one way to make it work. So you can try the same.
Toshi
What do you have in below CLI command output on both ends?
FortiGate-xxx # get vpn ipsec tun sum 'tun1' 172.16.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 562/0 tx(pkt,err): 85/3 'tun2' 172.16.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 37/0 tx(pkt,err): 529/0
FortiGate-xxx # diag sys ipsec-aggregate list agg_tun algo=REDUNDANT member=2 run_tally=2 members: tun1 tun2
Toshi
Hello @Toshi_Esumi sorry for the late response, here is the output, from the HUB side I don't have problemas the static route appears up (green)
HUB-40F # get vpn ipsec tun sum
'P1' 10.10.10.2:0 selectors(total,up): 1/1 rx(pkt,err): 2650/0 tx(pkt,err): 2999/2
'P2' 20.20.20.2:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0
HUB-40F # diag sys ipsec-aggregate list
list all ipsec bundle in Test1 num_bun=1
------------------------------------------------------
1: vf=0 bundle=Test1 algo=REDUNDANT member=2
members:
tunnel=P1 weight=1
tunnel=P2 weight=1
----------------------------------------------------------------------------------------------------------------
SERVER-40F # get vpn ipsec tun sum
'P1_0' 10.10.10.1:0 selectors(total,up): 1/1 rx(pkt,err): 1803/0 tx(pkt,err): 4226/0
'P2_0' 20.20.20.1:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0
SERVER-40F # diag sys ipsec-aggregate list
list all ipsec bundle in Test num_bun=2
------------------------------------------------------
vf=0 bundle=Test_1.1.1.1 algo=REDUNDANT member=2
members:
tunnel=P1_0 weight=1
tunnel=P2_0 weight=1
------------------------------------------------------
vf=0 bundle=Test algo=REDUNDANT member=0
Then, I don't see any reason you can't set up a static route. First, can you ping each other when you set the tunnel interface IP on both sides? It's /32s injected into routing table when you configure like below. So you don't need to set up routes manually.
config system interface edit "agg_tun" set vdom "root" set ip 10.x.x.254 255.255.255.255 set allowaccess ping https ssh set type tunnel set remote-ip 10.x.x.253 255.255.255.255 next end
And your static route wouldn't show up in your routing table? "get router info routing-table static"
What is your version? It started from 6.2 but I don't think the config/behavior has changed.
Toshi
Created on 06-03-2024 10:49 AM Edited on 06-03-2024 10:49 AM
Or your route is already injected into the table as @AEK is saying based on phase2-interface network selector config. Not sure how it would work for two duplicated network selectors though for two tunnels. I regularly disable it by "set add-route disable" so I don't know the behavior about it.
Do you see it in routing-table "get router info routing-table all"?
I tried with automatic route but is the same problem, its shows down in routing table
Created on 06-03-2024 11:37 PM Edited on 06-03-2024 11:39 PM
I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.
But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.
So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server
Instead, I added a static route on both side like below:
<client side>
config router static
edit 0
set dst 192.168.150.0 255.255.255.0 <- server side subnet
set device "agg_tun"
next
end
and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.
So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.
At least I found one way to make it work. So you can try the same.
Toshi
@Toshi_Esumi one more question, in the server side of your configuration does the static route detectes the aggregation as UP in green?
With my 7.2.8 GUI, it's in red as in your Routing Monitor view. This might be a bug or a limitation when you use dialup/dynamic IPsec. But it's working because my pinging through the tunnel drops once I disabled the static route. I think that's all that matters.
Toshi
Hi
In this case does it make sense to manually add static route?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.