Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdrianR
New Contributor III

Created on ‎05-31-2024 03:49 PM Edited on ‎06-03-2024 11:24 AM

Aggregate dial-up IPsec tunnel

Hello, I'm testing a configuration using aggregate dial-up IPsec but I'm having trouble getting it to work. The thing is that in the IPsec Tunnels configuration the aggregate "Test" shows up in green,

pic1.png

 

but when I create the static route in Network -> Static Routes it shows the aggregate "Test" as down in red.

pic 2.png

 

Did I miss something in the configuration that most be done to work?

 

If I change the VPNs to IPsec site to site not dialup the aggerate shows up (green) in static routes.

 

Can't use SDWAN because I used up all 512 members already.

Fortigates have Firmware 7.0.15

 

 

Thanks for any help you can provide!

Labels:
1220
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to AdrianR

Created on ‎06-03-2024 11:37 PM Edited on ‎06-03-2024 11:39 PM

I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.

But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.

So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server

Instead, I added a static route on both side like below:
<client side>
config router static
  edit 0
    set dst 192.168.150.0 255.255.255.0   <- server side subnet
    set device "agg_tun"
  next

end

and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.

So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.

At least I found one way to make it work. So you can try the same.

Toshi

View solution in original post

959
10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-31-2024 05:44 PM Edited on ‎05-31-2024 05:46 PM

What do you have in below CLI command output on both ends?

FortiGate-xxx # get vpn ipsec tun sum
'tun1' 172.16.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 562/0  tx(pkt,err): 85/3
'tun2' 172.16.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 37/0  tx(pkt,err): 529/0
FortiGate-xxx # diag sys ipsec-aggregate list
agg_tun algo=REDUNDANT member=2 run_tally=2
members:
        tun1
        tun2

 

Toshi

1078
AdrianR
New Contributor III
In response to Toshi_Esumi

Created on ‎06-03-2024 09:43 AM

Hello @Toshi_Esumi  sorry for the late response, here is the output, from the HUB side I don't have problemas the static route appears up (green)

HUB-40F # get vpn ipsec tun sum
'P1' 10.10.10.2:0 selectors(total,up): 1/1 rx(pkt,err): 2650/0 tx(pkt,err): 2999/2
'P2' 20.20.20.2:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0

HUB-40F # diag sys ipsec-aggregate list
list all ipsec bundle in Test1 num_bun=1
------------------------------------------------------
1: vf=0 bundle=Test1 algo=REDUNDANT member=2
members:
tunnel=P1 weight=1
tunnel=P2 weight=1

----------------------------------------------------------------------------------------------------------------

SERVER-40F # get vpn ipsec tun sum
'P1_0' 10.10.10.1:0 selectors(total,up): 1/1 rx(pkt,err): 1803/0 tx(pkt,err): 4226/0
'P2_0' 20.20.20.1:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0

SERVER-40F # diag sys ipsec-aggregate list
list all ipsec bundle in Test num_bun=2
------------------------------------------------------
vf=0 bundle=Test_1.1.1.1 algo=REDUNDANT member=2
members:
tunnel=P1_0 weight=1
tunnel=P2_0 weight=1
------------------------------------------------------
vf=0 bundle=Test algo=REDUNDANT member=0

970
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AdrianR

Created on ‎06-03-2024 10:37 AM

Then, I don't see any reason you can't set up a static route. First, can you ping each other when you set the tunnel interface IP on both sides? It's /32s injected into routing table when you configure like below. So you don't need to set up routes manually.

config system interface
  edit "agg_tun"
    set vdom "root"
    set ip 10.x.x.254 255.255.255.255
    set allowaccess ping https ssh
    set type tunnel
    set remote-ip 10.x.x.253 255.255.255.255
  next
end

And your static route wouldn't show up in your routing table? "get router info routing-table static"
What is your version? It started from 6.2 but I don't think the config/behavior has changed.

Toshi

960
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎06-03-2024 10:49 AM Edited on ‎06-03-2024 10:49 AM

Or your route is already injected into the table as @AEK is saying based on phase2-interface network selector config. Not sure how it would work for two duplicated network selectors though for two tunnels. I regularly disable it by "set add-route disable" so I don't know the behavior about it.
Do you see it in routing-table "get router info routing-table all"?

943
AdrianR
New Contributor III
In response to Toshi_Esumi

Created on ‎06-03-2024 11:18 AM

I tried with automatic route but is the same problem, its shows down in routing table
Screenshot 2024-06-03 111147.png

Screenshot 2024-06-03 115432.png

935
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AdrianR

Created on ‎06-03-2024 11:37 PM Edited on ‎06-03-2024 11:39 PM

I was not sure about the dialup/dynamic situation. So I tested it myself between two FGTs. I haven't configured IKE1 dialup/aggressive more than 10 years so I tested with IKEv2 dynamic, which should be essentially the same.

But when I tried letting both ends automatically pull those static route based on phase2 network selector with "set add-gw-route ena" on client side and "set add-route ena" on the server side, the client side didn't pull the remote subnet route somehow while the server side pulled it into its routing table.

So I abandoned the way and disabled them on both sides:
"set add-gw-route dis" on client
"set add-ruote dis" on server

Instead, I added a static route on both side like below:
<client side>
config router static
  edit 0
    set dst 192.168.150.0 255.255.255.0   <- server side subnet
    set device "agg_tun"
  next

end

and server side is specifying the opposite subnet.
And now those static routes are in the routing table properly and my pinging started coming through.

So now I think even auto-route setting should work but I just don't know exactly let the client side pull it.
As a matter of fact, when I combined both; client side=static route, server side=auto "add-route", it worked as well. So, probably it was my misunderstanding the CLI on the client side.

At least I found one way to make it work. So you can try the same.

Toshi

960
AdrianR
New Contributor III
In response to Toshi_Esumi

Created on ‎06-05-2024 10:25 AM

@Toshi_Esumi one more question, in the server side of your configuration does the static route detectes the aggregation as UP in green? 

781
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AdrianR

Created on ‎06-05-2024 11:05 AM

With my 7.2.8 GUI, it's in red as in your Routing Monitor view. This might be a bug or a limitation when you use dialup/dynamic IPsec. But it's working because my pinging through the tunnel drops once I disabled the static route. I think that's all that matters.

Toshi

775
AEK
SuperUser
SuperUser

Created on ‎06-01-2024 02:46 AM

Hi

In this case does it make sense to manually add static route?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-automatic-route-towards-the-rem...

 

AEK
AEK
1032
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.