FortiGate Dialup VPN between Hub and Spoke

 Problem

Often a company has an HQ with various external locations. The external locations sometimes have only a dynamic IP address, can arise or close very often. Depending on the situation, these are very dynamic or a company has a lot of external locations. So it is not the plan to create a separate VPN tunnel for each location.
In normal operation mode only the VPN Tunnel over ISP1 should be used. If ISP1 failed the Tunnel over ISP2 should be come online.
How should the VPNs be set up so that all locations can be connected to the HQ with as little effort as possible? 


Solution

The FortiGate in the HQ can be configured in "DialUp" mode. The external locations connect directly to the HQ via a dynamic tunnel.
The required reliability is achieved via one tunnel per ISP.

HQ Configuration

The first thing to do is to configure the two VPN tunnels in the HQ.
The following settings are necessary for this:

Phase 1

config vpn ipsec phase1-interface
    edit "Branches_ISP1"
        set type dynamic
        set interface "port4"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set ipv4-start-ip 172.17.30.0
        set ipv4-end-ip 172.17.30.255
        set dns-mode auto
        set psksecret fortinet
        set dpd-retryinterval 60
    next
    edit "Branches_ISP2"
        set type dynamic
        set interface "port5"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set ipv4-start-ip 172.17.31.0
        set ipv4-end-ip 172.17.31.255
        set dns-mode auto
        set psksecret fortinet
        set dpd-retryinterval 60
    next
end
  • net-device: create kernel device for this IPsec connection
  • mode-cfg: enable config mode (is needed to send configuration to other peer)
  • add-route: disable control addition of a route to peer destination selector
  • ipv4-start-ip: start of the ip range for tunnel interfaces
  • ipv4-end-ip: end of the ip range for tunnel interfaces
IMPORTANT: The start-ip and end-ip must be divisible into /30 subnets!

Phase 2

The Phase 2 configuration is quite easy:
config vpn ipsec phase2-interface
    edit "Branches_ISP1_P2"
        set phase1name "Branches_ISP1"
        set proposal aes256-sha256
    next
    edit "Branches_ISP2_P2"
        set phase1name "Branches_ISP2"
        set proposal aes256-sha256

    next
end

Branch Configuration

Each Branch Location need the following configuration.

Phase 1

config vpn ipsec phase1-interface
    edit "Hub_ISP1"
        set interface "port4"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set remote-gw 10.10.10.249
        set psksecret fortinet
    next
    edit "Hub_ISP2"
        set interface "port4"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set remote-gw 10.10.60.249
        set psksecret fortinet
    next
end
  • net-device: create kernel device for this IPsec connection
  • mode-cfg: need to be enabled to receive config from the hub
  • add-route: disable control addition of a route to peer destination selector
  • ipv4-start-ip: start of the ip range for tunnel interfaces
  • ipv4-end-ip: end of the ip range for tunnel interfaces

Phase 2

config vpn ipsec phase2-interface
    edit "Hub_ISP1_P2"
        set phase1name "Hub_ISP1"
        set proposal aes256-sha256
    next
    edit "Hub_ISP2_P2"
        set phase1name "Hub_ISP2"
        set proposal aes256-sha256
    next
end

Failover

With the configuration from above, both tunnels are always online. In our case, we want to use the tunnel via ISP2 only if the connection via ISP1 is not possible. A small change on the Branches is necessary for this.
config vpn ipsec phase1-interface
    edit "Hub_ISP2"
        set monitor Hub_ISP1
    next
end

Verify

Gateway

First we can check if the phase 1 connection could be started and an IP address from our "ipv4-start-ip" range was assigned.

HQ

#diagnose vpn ike gateway list

vd: Internet/2
name: Branches_ISP2_1
version: 2
interface: port5 7
addr: 10.10.60.249:500 -> 10.10.40.249:500
created: 402687s ago
assigned IPv4 address: 172.17.31.5/255.255.255.252
PPK: no
IKE SA: created 1/5  established 1/5  time 0/0/0 ms
IPsec SA: created 1/2  established 1/2  time 0/0/0 ms

  id/spi: 22 7b88efafa57c175e/e6cdd29de235f2d1
  direction: responder
  status: established 58287-58287s ago = 0ms
  proposal: aes128-sha256
  child: yes
  SK_ei: 9da4dfabfaa633c9-b6d809026f6e3fa1
  SK_er: 5276e8065cb4ca61-82328859bdb61c5b
  SK_ai: 4fca714261591010-fbf053f3dab978ce-9247a81865060d83-4cb3147f5b01fe81
  SK_ar: def169abca51c30e-27dff753e69a42bd-931295c4097964e3-b354fb4aa96339db
  message-id sent/recv: 967/2
  lifetime/rekey: 86400/27842
  DPD sent/recv: 00001a24/00001a24

vd: Internet/2
name: Branches_ISP1_0
version: 2
interface: port4 6
addr: 10.10.10.249:500 -> 10.10.40.249:500
created: 400074s ago
assigned IPv4 address: 172.17.30.1/255.255.255.252
PPK: no
IKE SA: created 1/5  established 1/5  time 0/2/10 ms
IPsec SA: created 1/2  established 1/2  time 0/0/0 ms

  id/spi: 23 0cb2f9523dcb6751/83781a25902ad7f1
  direction: responder
  status: established 55674-55674s ago = 0ms
  proposal: aes128-sha256
  child: yes
  SK_ei: 6ee89d6a82547cff-e6642bb4d2a8d4de
  SK_er: 20395838dc8f14fb-f1dec8549948e29e
  SK_ai: 7fadcce880ad19e5-d12ca356935ed9a8-a98b4f38cd714a82-13057d7210de61b4
  SK_ar: 638361da92986895-97b500f40b1f4ce2-1ff959a5c572e9b1-b724d131a45eb639
  message-id sent/recv: 924/2
  lifetime/rekey: 86400/30455
  DPD sent/recv: 000019f9/000019f9

Branch

#diagnose vpn ike gateway list

vd: root/0
name: Hub_ISP2
version: 2
interface: port4 6
addr: 10.10.40.249:500 -> 10.10.60.249:500
created: 402651s ago
assigned IPv4 address: 172.17.31.5/255.255.255.252
PPK: no
IKE SA: created 1/5  established 1/5  time 0/2/10 ms
IPsec SA: created 1/2  established 1/2  time 0/5/10 ms

  id/spi: 61 7b88efafa57c175e/e6cdd29de235f2d1
  direction: initiator
  status: established 58251-58251s ago = 0ms
  proposal: aes128-sha256
  child: yes
  SK_ei: 9da4dfabfaa633c9-b6d809026f6e3fa1
  SK_er: 5276e8065cb4ca61-82328859bdb61c5b
  SK_ai: 4fca714261591010-fbf053f3dab978ce-9247a81865060d83-4cb3147f5b01fe81
  SK_ar: def169abca51c30e-27dff753e69a42bd-931295c4097964e3-b354fb4aa96339db
  message-id sent/recv: 2/967
  lifetime/rekey: 86400/27848
  DPD sent/recv: 00000000/00000000

vd: root/0
name: Hub_ISP1
version: 2
interface: port4 6
addr: 10.10.40.249:500 -> 10.10.10.249:500
created: 400038s ago
assigned IPv4 address: 172.17.30.1/255.255.255.252
PPK: no
IKE SA: created 1/5  established 1/5  time 0/2/10 ms
IPsec SA: created 1/2  established 1/2  time 10/10/10 ms

  id/spi: 62 0cb2f9523dcb6751/83781a25902ad7f1
  direction: initiator
  status: established 55638-55638s ago = 0ms
  proposal: aes128-sha256
  child: yes
  SK_ei: 6ee89d6a82547cff-e6642bb4d2a8d4de
  SK_er: 20395838dc8f14fb-f1dec8549948e29e
  SK_ai: 7fadcce880ad19e5-d12ca356935ed9a8-a98b4f38cd714a82-13057d7210de61b4
  SK_ar: 638361da92986895-97b500f40b1f4ce2-1ff959a5c572e9b1-b724d131a45eb639
  message-id sent/recv: 2/923
  lifetime/rekey: 86400/30461
  DPD sent/recv: 00000000/00000000

Tunnel

As next we are able to check the Phase 2 Tunnel status. Not really interesting in this scenario, but for the sake of completeness.

HQ

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 2
------------------------------------------------------
name=Branches_ISP1_0 ver=2 serial=a 10.10.10.249:0->10.10.40.249:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/720 options[02d0]=create_dev no-sysctl rgwy-chg frag-rfc  accept_traffic=1 overlay_id=0

 parent=Branches_ISP1 index=0
proxyid_num=1 child_num=0 refcnt=13 ilast=1 olast=1 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=6655
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Branches_ISP1_P2 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=3 options=20202 type=00 soft=0 mtu=1438 expire=41755/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43191/43200
  dec: spi=88a14170 esp=aes key=16 2708bf8c3388c55101573c1250182e88
       ah=sha1 key=20 5b3820b406b5ce22e3c9b0bbd8ca64ef466356f5
  enc: spi=dd60bb4c esp=aes key=16 d3417e05517a098906b75bb5d8627c6b
       ah=sha1 key=20 a898e6b4af7db7ee09abe3aaff8e48c05a610132
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
------------------------------------------------------
name=Branches_ISP2_1 ver=2 serial=9 10.10.60.249:0->10.10.40.249:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/720 options[02d0]=create_dev no-sysctl rgwy-chg frag-rfc  accept_traffic=1 overlay_id=0

 parent=Branches_ISP2 index=1
proxyid_num=1 child_num=0 refcnt=13 ilast=27 olast=27 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=6698
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Branches_ISP2_P2 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=3 options=20202 type=00 soft=0 mtu=1438 expire=41754/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43187/43200
  dec: spi=88a14171 esp=aes key=16 a934b8909f661cd768dffe5fb333f76e
       ah=sha1 key=20 13157d3cec000bf035f2abcb68eab3b8ec1daef9
  enc: spi=dd60bb4d esp=aes key=16 1056c873999cb8420623283f7d24e2da
       ah=sha1 key=20 dee9b4c867a7f629bb56924eb75e338b4825348e
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Branches

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Hub_ISP1 ver=2 serial=1 10.10.40.249:0->10.10.10.249:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc  accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=13 ilast=12 olast=55884 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Hub_ISP1_P2 proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1438 expire=41593/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42903/43200
  dec: spi=dd60bb4c esp=aes key=16 d3417e05517a098906b75bb5d8627c6b
       ah=sha1 key=20 a898e6b4af7db7ee09abe3aaff8e48c05a610132
  enc: spi=88a14170 esp=aes key=16 2708bf8c3388c55101573c1250182e88
       ah=sha1 key=20 5b3820b406b5ce22e3c9b0bbd8ca64ef466356f5
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
------------------------------------------------------
name=Hub_ISP2 ver=2 serial=2 10.10.40.249:0->10.10.60.249:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc  accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=58497 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Hub_ISP2_P2 proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1438 expire=41594/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42901/43200
  dec: spi=dd60bb4d esp=aes key=16 1056c873999cb8420623283f7d24e2da
       ah=sha1 key=20 dee9b4c867a7f629bb56924eb75e338b4825348e
  enc: spi=88a14171 esp=aes key=16 a934b8909f661cd768dffe5fb333f76e
       ah=sha1 key=20 13157d3cec000bf035f2abcb68eab3b8ec1daef9
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more