FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff
Article Id 191632
Description
In scenario below, Spoke has primary and backup IPsec tunnels to the Hub.
Normally IPsec DPD can detect path connectivity and trigger failover to the backup IPsec tunnel.

But since DPD use ISAKMP packet which is on UDP port 500.
If ESP (IP protocol port 50) is somehow blocked along the path, it cannot be detected. 
In such case, 'link-monitor' can be configured to regularly ping a client IP behind the remote tunnel and detect data path (ESP, IP protocol port 50) connectivity issue.



Solution
Spoke FGT B.

Configure a loopback interface to be used as source IP for the ping in 'link-monitor'.
The source IP can be any IP in the FGT. This is just an example.
A loopback IP has the benefit that it will not go down like a physical port.
# config system interface
    edit "Test_Loopback1"
        set vdom "root"
        set ip 9.9.9.1 255.255.255.255
        set allowaccess ping
        set type loopback
next
Configure IPsec Phase2 of the primary tunnel to advertise the source IP 9.9.9.1 to Hub in its Phase 2 SA.
# config vpn ipsec phase2-interface
    edit "To_hub_Loopback"
        set phase1name "To_hub1"
        set proposal des-sha1
        set auto-negotiate enable
        set src-subnet 9.9.9.1 255.255.255.255
    next
Configure 'link-monitor' to ping a remote client side IP behind the IPsec tunnel using the loopback IP above as source.
# config system link-monitor
    edit "test-IPsec-path"
        set srcintf "To_hub1"     <----- Phase1 name of the tunnel to be monitored.
        set server "20.20.20.102" <----- Some-ip-on-the-other-side-of-the-tunnel.
        set source-ip 9.9.9.1     <----- Some-local-ip-as source.
    next
end
In the backup tunnel (e.g. 'To_hub2' in example below), 'monitor hold down' should be configured to prevent the backup from switching back to the primary immediately. 'hold-down-delay' should be configured (e.g. 20 seconds in example below) to wait until 'link-monitor' has verified the path is good before switching back to the primary.
# config vpn ipsec phase1-interface
    edit "To_hub1"
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device enable
        set proposal des-sha1
        set localid "spoketest1"
        set dpd on-idle
        set dhgrp 2
        set remote-gw 10.21.21.21
        set psksecret ENC xxxxx
    next
    edit "To_hub2"
        set interface "wan2"
        set mode aggressive
        set peertype any
        set monitor-hold-down-type delay   
        set monitor-hold-down-delay 20
        set net-device enable
        set proposal des-sha1
        set localid "spoketest1"
        set dpd on-idle
        set dhgrp 2
        set remote-gw 10.21.21.21
        set monitor "To_Hub2"
        set psksecret ENC xxxx
next
When 'link-monitor' detects the path is down, logging will show such event.





Command '# diagnose sys link-monitor status' can be used to check status of 'link-monitor'.
FGTB # diagnose sys link-monitor status
Link Monitor: test-IPsec-path, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jul 29 16:23:39 2021
Source interface: To_Hub1 (18)
Source IP: 9.9.9.1
Interval: 500 ms   
  Peer: 20.20.20.102(20.20.20.102)
        Source IP(9.9.9.1)
        Route: 9.9.9.1->20.20.20.102/32, gwy(0.0.0.0)
        protocol: ping, state: alive
        Latency(Min/Max/Avg): 0.678/1.762/0.791 ms
        Jitter(Min/Max/Avg): 0.003/0.319/0.103
        Packet lost: 24.000%
        Number of out-of-sequence packets: 1846
                  Fail Times(0/5)
                  Packet sent: 135276, received: 5964, Sequence(sent/rcvd/exp): 4205/4205/17445

FGTB # diagnose sys link-monitor status

Link Monitor: test-IPsec-path, Status: die, Server num(1), Flags=0x9 init, Create time: Thu Jul 29 16:23:39 2021
Source interface: To_Hub1 (18)
Source IP: 9.9.9.1
Interval: 500 ms
  Peer: 20.20.20.102(20.20.20.102)
        Source IP(9.9.9.1)
        Route: 9.9.9.1->20.20.20.102/32, gwy(0.0.0.0)
        protocol: ping, state: die
        Packet lost: 100.000%
        Number of out-of-sequence packets: 3459
                  Recovery times(0/5) Fail Times(4/5)
                  Packet sent: 139444, received: 7577, Sequence(sent/rcvd/exp): 8373/5818/17445
Related documents.
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/286620/vpn-ipsec-phase1-interface
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/101620/system-link-monitor


Related Articles

Technical Tip: Link monitor

Contributors