Using a single IKE elector in ADVPN to match all SD-WAN control plane traffic
In the SD-WAN with ADVPN use case, two spokes can communicate with each other on the control plane by an ADVPN shortcut. In order to separate the control traffic from data traffic, the IKE creates a dynamic selector for health check packets sent between the spokes. BGP traffic is also matched by this dynamic IKE selector. Therefore, when spokes establish BGP peering with other spokes, the BGP traffic does not count towards the data traffic and will not impact IPsec idle timeout and shortcut tunnel tear down.
Example
In this example, SD-WAN with ADVPN is configured. The IPsec ADVPN shortcut tunnel is required to tear down when it is idle. SD-WAN health checks are configured, and BGP neighbors established between the spokes is required.
To configure the Hub FortiGate:
-
Configure the phase 1 interface:
config vpn ipsec phase1-interface edit "Hub" set type dynamic set interface "port2" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set dpd on-idle set auto-discovery-sender enable set psksecret ************ set dpd-retryinterval 60 next end
-
Configure the phase 2 interface:
config vpn ipsec phase2-interface edit "Hub" set phase1name "Hub" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
Configure the VPN interface:
config system interface edit "Hub" set vdom "root" set ip 10.10.1.250 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.10.1.254 255.255.255.0 set snmp-index 50 set interface "port2" next end
-
Configure the BGP settings:
config router bgp set as 65412 config neighbor edit "10.10.1.1" set advertisement-interval 0 set remote-as 65412 set route-reflector-client enable next edit "10.10.1.2" set advertisement-interval 0 set remote-as 65412 set route-reflector-client enable next end config network edit 1 set prefix 174.16.101.0 255.255.255.0 next end end
To configure the Spoke1 FortiGate:
-
Configure the phase 1 interface:
config vpn ipsec phase1-interface edit "Spoke1" set interface "port1" set ike-version 2 set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set npu-offload disable set idle-timeout enable set idle-timeoutinterval 5 set auto-discovery-receiver enable set remote-gw 172.16.200.4 set psksecret ************ next end
-
Configure the phase 2 interface:
config vpn ipsec phase2-interface edit "Spoke1" set phase1name "Spoke1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
Configure the VPN interface:
config system interface edit "Spoke1" set vdom "root" set ip 10.10.1.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.10.1.254 255.255.255.0 set snmp-index 28 set interface "port1" next end
-
Configure the BGP settings:
config router bgp set as 65412 config neighbor edit "10.10.1.250" set advertisement-interval 0 set remote-as 65412 next edit "10.10.1.2" set remote-as 65412 next end config network edit 1 set prefix 10.1.100.0 255.255.255.0 next end end
-
Configure the SD-WAN settings:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "Spoke1" next end config health-check edit "1" set server "174.16.101.44" set members 0 next end end
To configure the Spoke2 FortiGate:
-
Configure the phase 1 interface:
config vpn ipsec phase1-interface edit "Spoke2" set interface "wan1" set ike-version 2 set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set add-route disable set npu-offload disable set idle-timeout enable set idle-timeoutinterval 5 set auto-discovery-receiver enable set remote-gw 172.16.200.4 set psksecret ************ next end
-
Configure the phase 2 interface:
config vpn ipsec phase2-interface edit "Spoke2" set phase1name "Spoke2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
Configure the VPN interface:
config system interface edit "Spoke2" set vdom "root" set ip 10.10.1.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.10.1.254 255.255.255.0 set snmp-index 15 set interface "wan1" next end
-
Configure the BGP settings:
config router bgp set as 65412 config neighbor edit "10.10.1.250" set advertisement-interval 0 set remote-as 65412 next edit "10.10.1.1" set remote-as 65412 next end config network edit 1 set prefix 192.168.4.0 255.255.255.0 next end end
-
Configure the SD-WAN settings:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "Spoke2" next end config health-check edit "1" set server "174.16.101.44" set members 0 next end end
To verify the configuration:
-
Send traffic between the spokes to establish the ADVPN shortcut.
-
Verify the IPsec tunnel state on the Spoke1 FortiGate:
Spoke1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=Spoke1_0 ver=2 serial=7 172.16.200.1:0->172.16.200.3:0 tun_id=10.10.1.2 tun_id6=::10.0.0.3 dst_mtu=1500 dpd-link=on weight=1 bound_if=19 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66224 options[102b0]=create_dev rgwy-chg frag-rfc role=primary accept_traffic=1 overlay_id=0 parent=Spoke1 index=0 proxyid_num=2 child_num=0 refcnt=6 ilast=0 olast=0 ad=r/2 stat: rxp=0 txp=1 rxb=0 txb=40 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0 fec: egress=0 ingress=0 proxyid=Spoke1 proto=0 sa=1 ref=5 serial=2 adr health-check src: 0:0.0.0.0-255.255.255.255:0 dst: 0:10.10.1.2-10.10.1.2:0 SA: ref=3 options=92626 type=00 soft=0 mtu=1438 expire=43055/0B replaywin=2048 seqno=214 esn=0 replaywin_lastseq=00000213 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43189/43200 dec: spi=17a473be esp=aes key=16 40dfada9532cefe5563de71ac5908aa1 ah=sha1 key=20 36e967d9b6fce8807132c3923d0edfae6cb6c115 enc: spi=75cde30a esp=aes key=16 9bf08196d6830455a75bc676e04c816f ah=sha1 key=20 638db13dc4db0a6e5f523047805d18413eea4d4d dec:pkts/bytes=1060/42958, enc:pkts/bytes=1062/77075 npu_flag=00 npu_rgwy=172.16.200.3 npu_lgwy=172.16.200.1 npu_selid=c dec_npuid=0 enc_npuid=0 proxyid=Spoke1 proto=0 sa=1 ref=2 serial=1 adr src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=12226 type=00 soft=0 mtu=1438 expire=43055/0B replaywin=2048 seqno=2 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43189/43200 dec: spi=17a473bd esp=aes key=16 c78e5085857d0c5842e394fc44b38822 ah=sha1 key=20 0bb885a85f77aa491a1209e4d36b7cddd7caf152 enc: spi=75cde309 esp=aes key=16 6717935721e4a25428d6a7a633da75a9 ah=sha1 key=20 eaf092280cf5b9f9db09ac95258786ffbfacead0 dec:pkts/bytes=0/0, enc:pkts/bytes=2/144 npu_flag=00 npu_rgwy=172.16.200.3 npu_lgwy=172.16.200.1 npu_selid=b dec_npuid=0 enc_npuid=0 ------------------------------------------------------ name=Spoke1 ver=2 serial=1 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1 bound_if=19 lgwy=static/1 tun=intf mode=auto/1 encap=none/560 options[0230]=create_dev frag-rfc role=primary accept_traffic=1 overlay_id=0 proxyid_num=1 child_num=1 refcnt=5 ilast=0 olast=0 ad=r/2 stat: rxp=542 txp=553 rxb=22117 txb=22748 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec: egress=0 ingress=0 proxyid=Spoke1 proto=0 sa=1 ref=4 serial=1 adr src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=12226 type=00 soft=0 mtu=1438 expire=42636/0B replaywin=2048 seqno=22a esn=0 replaywin_lastseq=0000021f qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=17a473bc esp=aes key=16 eff2dc03b48968bb55b9e3950ebde431 ah=sha1 key=20 5db42a32aec15bc8a5fe392c256d1ae8ab3b4ef8 enc: spi=bdc3bd80 esp=aes key=16 d0ec06b61ad572cc8813b599edde8c68 ah=sha1 key=20 0306850f0184d957e9475da33d7971653a95c233 dec:pkts/bytes=1084/44234, enc:pkts/bytes=1106/80932 npu_flag=00 npu_rgwy=172.16.200.4 npu_lgwy=172.16.200.1 npu_selid=0 dec_npuid=0 enc_npuid=0
The dynamic selector is created (highlighted) for SD-WAN control traffic, SD-WAN health checks, and BGP between spokes traffic.
-
Verify the BGP neighbors and check the routing table:
Spoke1 # get router info bgp summary VRF 0 BGP router identifier 172.16.200.1, local AS number 65412 BGP table version is 8 1 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.10.1.2 4 65412 52 76 7 0 0 00:06:27 1 10.10.1.250 4 65412 70 69 1 0 0 00:58:44 2 Total number of neighbors 2
-
Stop sending traffic between the spokes, and wait for a few minutes (idle timeout).
-
Verify the IPsec tunnel state on the Spoke1 FortiGate:
Spoke1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=Spoke1 ver=2 serial=1 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1 bound_if=19 lgwy=static/1 tun=intf mode=auto/1 encap=none/560 options[0230]=create_dev frag-rfc role=primary accept_traffic=1 overlay_id=0 proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=r/2 stat: rxp=1467 txp=1469 rxb=60190 txb=60214 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec: egress=0 ingress=0 proxyid=Spoke1 proto=0 sa=1 ref=3 serial=1 adr src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=12226 type=00 soft=0 mtu=1438 expire=42199/0B replaywin=2048 seqno=5be esn=0 replaywin_lastseq=000005bc qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42903/43200 dec: spi=76fdf7d1 esp=aes key=16 b26fd2dae76665f580d255b67f79df1e ah=sha1 key=20 14b0acc3c8c92a0af8ab43ff0437d2141b6d3f65 enc: spi=bdc3bd85 esp=aes key=16 3eae3ad42aa32d7cdd972dfca286acd1 ah=sha1 key=20 3655f67ee135f38e3f0790f1c7e3bd19c4a9285c dec:pkts/bytes=2934/120380, enc:pkts/bytes=2938/214606 npu_flag=00 npu_rgwy=172.16.200.4 npu_lgwy=172.16.200.1 npu_selid=0 dec_npuid=0 enc_npuid=0
The shortcut tunnel between the spokes has been torn down. When data traffic is idle, the BGP traffic does not get sent on the data traffic selector, so the tunnel is not kept alive. This behavior is the expected, which consequently allows the shortcut tunnel to be torn down when idle.
-
Verify the IKE debugs messages to confirm the ADVPN shortcut was torn down:
Spoke1 # diagnose debug enable Spoke1 # diagnose debug application ike -1 ... ike 0:Spoke1_0: connection idle time-out ike 0:Spoke1_0: deleting ike 0:Spoke1_0: flushing ike 0:Spoke1_0: deleting IPsec SA with SPI 75cde338 ike 0:Spoke1_0:Spoke1: deleted IPsec SA with SPI 75cde338, SA count: 0 ike 0:Spoke1_0: sending SNMP tunnel DOWN trap for Spoke1 ike 0:Spoke1_0: tunnel down event 0.0.0.0 ike 0:Spoke1_0:Spoke1: delete ike 0:Spoke1_0: deleting IPsec SA with SPI 75cde337 ike 0:Spoke1_0:Spoke1: deleted IPsec SA with SPI 75cde337, SA count: 0 ike 0:Spoke1_0: sending SNMP tunnel DOWN trap for Spoke1 ike 0:Spoke1_0: tunnel down event 0.0.0.0 ike 0:Spoke1_0:Spoke1: delete ike 0:Spoke1_0: flushed ike 0:Spoke1_0:23:86: send informational ike 0:Spoke1_0:23: sent IKE msg (INFORMATIONAL): 172.16.200.1:500->172.16.200.3:500, len=80, vrf=0, id=0304e1284a432105/fa7d3fd75e7f481e:00000004 ike 0:Spoke1_0: delete connected route 10.10.1.1 -> 10.10.1.2 ike 0:Spoke1_0: delete dynamic ike 0:Spoke1_0: deleted ike 0:Spoke1: schedule auto-negotiate ike 0: comes 172.16.200.3:500->172.16.200.1:500,ifindex=19,vrf=0.... ike 0: IKEv2 exchange=INFORMATIONAL_RESPONSE id=0304e1284a432105/fa7d3fd75e7f481e:00000004 len=80