- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note : Controlling static routes attache...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
In some IPSec scenario, it is required that route fail over is controlled by the presence/absence of a static route in the routing table.
A typical example is when a remote branch has 2 VPN tunnels : one to a central site and a second to a disaster recovery site.
The Fortigate in the branch would have a primary static route to the central site, and a secondary static route (higher distance) to the backup site.
The second static route would then only replace the primary route when the primary tunnel goes down.
Another example is when static routes associated to an IPSec tunnel are advertised in an IGP, and this IGP needs to be aware when the tunnel is down to withdraw this route.
But this requires two things to consider :
- the static route associated to a tunnel will only be removed when the IKE SA are removed, hence the phase1 (IKE) is down
- the following phase1 parameters are enabled : auto-negotiate in FortiOS 4.3+, dpd in FortiOS 4.2.
The key element when troubleshooting is to verify the state of the tunnel interface (the actual IKE phase1), and not the phase2 which is not relevant in this case.
Note that the GUI VPN Monitor displays the status of the phase2 only.
Solution
This is an example where BGP is advertising static routes linked to a tunnel, hence the need to detect the loss of this route.
Configuration excerpt of the phase1 (phase2 is not relevant here), on a FortiGate running FortiOS 4.3:
FGT-1 (phase1-interface) # show full-configuration
config vpn ipsec phase1-interface
edit "eNB_1"
set type static
set interface "mgmt2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal disable
set dhgrp 2
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set mode-cfg disable
set proposal 3des-sha1 aes128-sha1
set localid ''
set localid-type auto
set negotiate-timeout 30
set dpd enable
set forticlient-enforcement disable
set remote-gw 10.73.0.161
set monitor-phase1 ''
set add-gw-route disable
set psksecret ENC 1Zb7CPqcyZS91DdS8lesvTCUPLM/K2OgdTeKW+f+lIaYBnFzeBsK+wo+9LpHGFVMfvosvQuE1txGRdP3XiLMB9rrZxL0YUbTpbQ1xRcgpabkEHHS
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
FGT-1 # sho router static
edit 3
set device "eNB_1"
set dst 10.184.1.1 255.255.255.255
next
end
Operational information when the phase1 is up
=====================================
FGT-1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.1.1.1/32 is directly connected, eNB_1
C 10.1.1.2/32 is directly connected, eNB_1
S 10.184.1.1/32 [10/0] via 10.1.1.1, eNB_1
FGT-1 # diagnose vpn ike gateway list
vd: root/0
name: eNB_1
version: 1
interface: mgmt2 3
addr: 10.74.1.231:500 -> 10.73.0.161:500
created: 24963s ago
IKE SA: created 1/1 established 1/1 time 80/80/80 ms
IPsec SA: created 0/0
id/spi: 966 76fcae018fc837d8/4c2d60d0009f4ae0
direction: initiator
status: established 24963-24963s ago = 80ms <<< the phase1 is UP
proposal: 3des-sha1
key: 645fffd4bcbd893a-ee34bce761eb670d-2e3308329ed18454
lifetime/rekey: 28800/3536
DPD sent/recv: 000019c3/00013471
FGT-1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=eNB_1 ver=1 serial=1 10.74.1.231:0->10.73.0.161:0 lgwy=dyn tun=intf mode=auto bound_if=3
proxyid_num=1 child_num=0 refcnt=6 ilast=3 olast=3
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=6601
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=eNB_1 proto=0 sa=0 ref=1 auto_negotiate=0 serial=1
src: 0:10.100.0.0/255.255.0.0:0
dst: 0:10.184.1.1:0
<<< No SA, so the phase2 is down
------------------------------------------------------
FGT-1 # diagnose netlink interface list
if=eNB_1 family=00 type=768 index=32 mtu=1412 link=0 master=0
ref=7 state=start present flags=up p2p run noarp multicast <<< the tunnel interface is UP
It is important to note from the above output that what conditions the presence of the static route is the IKE SA's presence (phase1 up), whereas the phase2 (IPSec) is down.
Operational information when the phase1 is down
=======================================
FGT-1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
<<< the static routes and connected subnets have been removed
FGT-1# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S 10.184.1.1/32 [10/0] via 10.1.1.1, eNB_1 inactive
FGT-1 # diagnose vpn ike gateway list
vd: root/0
name: eNB_1
version: 1
interface: mgmt2 3
addr: 10.74.1.231:500 -> 10.73.0.161:500
created: 18s ago
IKE SA: created 1/1 <<< No more IKE SA established
IPsec SA: created 0/0
id/spi: 1810 059a3092cfe97e68/0000000000000000
direction: initiator
status: connecting, state 3, started 18s ago
FGT-1 # diagnose netlink interface list
if=eNB_1 family=00 type=768 index=32 mtu=1412 link=0 master=0
ref=6 state=start present tx_sched flags=up p2p noarp multicast <<< the status RUN is not present
=================================================================================
In some IPSec scenario, it is required that route fail over is controlled by the presence/absence of a static route in the routing table.
A typical example is when a remote branch has 2 VPN tunnels : one to a central site and a second to a disaster recovery site.
The Fortigate in the branch would have a primary static route to the central site, and a secondary static route (higher distance) to the backup site.
The second static route would then only replace the primary route when the primary tunnel goes down.
Another example is when static routes associated to an IPSec tunnel are advertised in an IGP, and this IGP needs to be aware when the tunnel is down to withdraw this route.
But this requires two things to consider :
- the static route associated to a tunnel will only be removed when the IKE SA are removed, hence the phase1 (IKE) is down
- the following phase1 parameters are enabled : auto-negotiate in FortiOS 4.3+, dpd in FortiOS 4.2.
The key element when troubleshooting is to verify the state of the tunnel interface (the actual IKE phase1), and not the phase2 which is not relevant in this case.
Note that the GUI VPN Monitor displays the status of the phase2 only.
Solution
This is an example where BGP is advertising static routes linked to a tunnel, hence the need to detect the loss of this route.
Configuration excerpt of the phase1 (phase2 is not relevant here), on a FortiGate running FortiOS 4.3:
FGT-1 (phase1-interface) # show full-configuration
config vpn ipsec phase1-interface
edit "eNB_1"
set type static
set interface "mgmt2"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal disable
set dhgrp 2
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set mode-cfg disable
set proposal 3des-sha1 aes128-sha1
set localid ''
set localid-type auto
set negotiate-timeout 30
set dpd enable
set forticlient-enforcement disable
set remote-gw 10.73.0.161
set monitor-phase1 ''
set add-gw-route disable
set psksecret ENC 1Zb7CPqcyZS91DdS8lesvTCUPLM/K2OgdTeKW+f+lIaYBnFzeBsK+wo+9LpHGFVMfvosvQuE1txGRdP3XiLMB9rrZxL0YUbTpbQ1xRcgpabkEHHS
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 5
next
FGT-1 # sho router static
edit 3
set device "eNB_1"
set dst 10.184.1.1 255.255.255.255
next
end
Operational information when the phase1 is up
=====================================
FGT-1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.1.1.1/32 is directly connected, eNB_1
C 10.1.1.2/32 is directly connected, eNB_1
S 10.184.1.1/32 [10/0] via 10.1.1.1, eNB_1
FGT-1 # diagnose vpn ike gateway list
vd: root/0
name: eNB_1
version: 1
interface: mgmt2 3
addr: 10.74.1.231:500 -> 10.73.0.161:500
created: 24963s ago
IKE SA: created 1/1 established 1/1 time 80/80/80 ms
IPsec SA: created 0/0
id/spi: 966 76fcae018fc837d8/4c2d60d0009f4ae0
direction: initiator
status: established 24963-24963s ago = 80ms <<< the phase1 is UP
proposal: 3des-sha1
key: 645fffd4bcbd893a-ee34bce761eb670d-2e3308329ed18454
lifetime/rekey: 28800/3536
DPD sent/recv: 000019c3/00013471
FGT-1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=eNB_1 ver=1 serial=1 10.74.1.231:0->10.73.0.161:0 lgwy=dyn tun=intf mode=auto bound_if=3
proxyid_num=1 child_num=0 refcnt=6 ilast=3 olast=3
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=6601
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=eNB_1 proto=0 sa=0 ref=1 auto_negotiate=0 serial=1
src: 0:10.100.0.0/255.255.0.0:0
dst: 0:10.184.1.1:0
<<< No SA, so the phase2 is down
------------------------------------------------------
FGT-1 # diagnose netlink interface list
if=eNB_1 family=00 type=768 index=32 mtu=1412 link=0 master=0
ref=7 state=start present flags=up p2p run noarp multicast <<< the tunnel interface is UP
It is important to note from the above output that what conditions the presence of the static route is the IKE SA's presence (phase1 up), whereas the phase2 (IPSec) is down.
Operational information when the phase1 is down
=======================================
FGT-1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
<<< the static routes and connected subnets have been removed
FGT-1# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S 10.184.1.1/32 [10/0] via 10.1.1.1, eNB_1 inactive
FGT-1 # diagnose vpn ike gateway list
vd: root/0
name: eNB_1
version: 1
interface: mgmt2 3
addr: 10.74.1.231:500 -> 10.73.0.161:500
created: 18s ago
IKE SA: created 1/1 <<< No more IKE SA established
IPsec SA: created 0/0
id/spi: 1810 059a3092cfe97e68/0000000000000000
direction: initiator
status: connecting, state 3, started 18s ago
FGT-1 # diagnose netlink interface list
if=eNB_1 family=00 type=768 index=32 mtu=1412 link=0 master=0
ref=6 state=start present tx_sched flags=up p2p noarp multicast <<< the status RUN is not present
=================================================================================
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.