Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fslomka
New Contributor

GNS3 IPSEC faliover simulation FortiOS 5.6.4

 Crosspost https://www.reddit.com/r/fortinet/comments/9cfksg/gns3_ipsec_faliover_simulation_fortios_564/

 

I am trying to simulate how a Fortigate would handle a IPSec failover and recover in GNS3.

Fortigate Config Customer

https://nopaste.xyz/?770ad3dc22aee4ce#QKRgHKolvL6aHPe6Lmbpbu6YgiCAI/mlSdKXgoR7xjc=

Fortigate Config Provider

https://nopaste.xyz/?67a237612bf3ac23#Pai8maxDB+1HRIiFY132ZBnS1Oy4/jd6K+h1jwTfvps=

This is my setup

Fortigate Customer IPSec InternetB is set to Monitor IPSec InternetA so only one IPSec at a time is possible.

Fortigate Customer 192.168.0.1

Fortigate Provider 192.168.1.1

NAT is not used for VPN

Blackhole routing enabled

link-monitor is used on VPN

And this is what I do

I let InternetA fail, connection via InternetB to Provider will be established and ping will be working again after 70 sec.

result --> Failover works without issues.

I will repair InternetA again.

result --> Ping will not work anymore and diag debug flow shows(id143 where InternetA kicks in):

id=20085 trace_id=142 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=1, 192.168.0.130:635->192.168.1.1:2048) from port1. type=8, code=0, id=635, seq=151."

id=20085 trace_id=142 func=resolve_ip_tuple_fast line=5386 msg="Find an existing session, id-00000322, original direction"

id=20085 trace_id=142 func=ipsecdev_hard_start_xmit line=635 msg="enter IPsec interface-InternetB"

id=20085 trace_id=142 func=esp_output4 line=892 msg="IPsec encrypt/auth"

id=20085 trace_id=142 func=ipsec_output_finish line=527 msg="send to 192.168.122.216 via intf-port10"

id=20085 trace_id=143 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=1, 192.168.0.130:635->192.168.1.1:2048) from port1. type=8, code=0, id=635, seq=152."

id=20085 trace_id=143 func=resolve_ip_tuple_fast line=5386 msg="Find an existing session, id-00000322, original direction"

id=20085 trace_id=143 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.122.1 via port10"

id=20085 trace_id=143 func=fw_strict_dirty_session_check line=249 msg="SNAT mismatch policy 1 nat 1 ip 0.0.0.0, drop"

id=20085 trace_id=144 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=1, 192.168.0.130:635->192.168.1.1:2048) from port1. type=8, code=0, id=635, seq=153."

id=20085 trace_id=144 func=init_ip_session_common line=5470 msg="allocate a new session-00000360"

id=20085 trace_id=144 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.122.1 via port10"

id=20085 trace_id=144 func=fw_forward_handler line=743 msg="Allowed by Policy-1: SNAT"

id=20085 trace_id=144 func=__ip_session_run_tuple line=3209 msg="SNAT 192.168.0.130->192.168.122.213:61051"

This two messages make me think:

msg="SNAT mismatch policy 1 nat 1 ip 0.0.0.0, drop"

msg="Allowed by Policy-1: SNAT"

Fortigate tries to establish a new session via port1 --> sd-wan

​If I restart ping in this point of scenario this is what will happen(ping will work):

id=20085 trace_id=159 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=1, 192.168.0.130:636->192.168.1.1:2048) from port1. type=8, code=0, id=636, seq=1."

id=20085 trace_id=159 func=init_ip_session_common line=5470 msg="allocate a new session-00000362"

id=20085 trace_id=159 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.1.1 via InternetA"

id=20085 trace_id=159 func=fw_forward_handler line=743 msg="Allowed by Policy-3:"

id=20085 trace_id=159 func=ipsecdev_hard_start_xmit line=635 msg="enter IPsec interface-InternetA"

id=20085 trace_id=159 func=esp_output4 line=892 msg="IPsec encrypt/auth"

id=20085 trace_id=159 func=ipsec_output_finish line=527 msg="send to 192.168.122.216 via intf-port9"

id=20085 trace_id=160 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=1, 192.168.0.130:636->192.168.1.1:2048) from port1. type=8, code=0, id=636, seq=2."

id=20085 trace_id=160 func=resolve_ip_tuple_fast line=5386 msg="Find an existing session, id-00000362, original direction"

id=20085 trace_id=160 func=ipsecdev_hard_start_xmit line=635 msg="enter IPsec interface-InternetA"

id=20085 trace_id=160 func=esp_output4 line=892 msg="IPsec encrypt/auth"

id=20085 trace_id=160 func=ipsec_output_finish line=527 msg="send to 192.168.122.216 via intf-port9"

id=20085 trace_id=161 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=1, 192.168.0.130:636->192.168.1.1:2048) from port1. type=8, code=0, id=636, seq=3."

id=20085 trace_id=161 func=resolve_ip_tuple_fast line=5386 msg="Find an existing session, id-00000362, original direction"

id=20085 trace_id=161 func=ipsecdev_hard_start_xmit line=635 msg="enter IPsec interface-InternetA"

id=20085 trace_id=161 func=esp_output4 line=892 msg="IPsec encrypt/auth"

id=20085 trace_id=161 func=ipsec_output_finish line=527 msg="send to 192.168.122.216 via intf-port9"

The new session got established via policy ID 3 which is port1 --> VPN1

In short terms

All OK > InternetA broken > everything works through InternetB > InternetA repaired again > ping through VPN1 will not work anymore unless restarted.

 

1 REPLY 1
fslomka
New Contributor

I have found the solution. Instead of having 2 different priorities in my static route I put in different distanced. I am required to use the "monitor" command because I am allowed only to have one tunnel open at a time.   This is how a working routing looks tight now on customer. edit 2 set dst 192.168.1.0 255.255.255.0 set device "VPN1" next edit 3 set dst 192.168.1.0 255.255.255.0 set distance 11 set device "VPN2" next   It seems that using the priority is breaking something but distance is not
Labels
Top Kudoed Authors