Fortinet white logo
Fortinet white logo

Administration Guide

Resuming sessions for IPsec tunnel IKE version 2

Resuming sessions for IPsec tunnel IKE version 2

FortiOS supports session resumptions for IPsec tunnel IKE version 2. This feature enhances the user experience by maintaining the tunnel in an idle state, which allows for uninterrupted usage even after a client resumes from sleep or when connectivity is restored after a disruption. Furthermore, it removes the necessity for re-authentication when reconnecting, making the process more efficient.

config vpn ipsec phase1-interface
    edit <phase 1 name>
        set client-resume enable
        set client-resume-interval {integer length of idle time}
    next
end

Example

In the following example, the client FortiGate will be configured to enable session resumption after returning from an idle state. The resume interval will be set as 120 seconds and the interface status will be tested when the client resumes within and past this interval.

Note

This example uses a pre-shared key for authentication, although signature authentication can also be used.

To enable session resumption for IPsec tunnel IKE version 2:
  1. Configure IPsec VPN for the dialup client FortiGate:

    1. Configure the IPsec phase 1 interface:

      config vpn ipsec phase1-interface
          edit "toServer"
              set interface "port9"
              set ike-version 2
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
              set dpd on-idle
              set remote-gw 173.1.1.1
              set psksecret *****************
              set dpd-retryinterval 60
          next
      end
    2. Configure the IPsec phase 2 interface:

      config vpn ipsec phase2-interface
          edit "toServer"
              set phase1name "toServer"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    3. Configure the firewall policy:

      config firewall policy
          edit 1
              set srcintf "port2"
              set dstintf "toServer"
              set action accept
              set srcaddr "10.1.100.0"
              set dstaddr "192.168.5.0"
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "toServer"
              set dstintf "port2"
              set action accept
              set srcaddr "192.168.5.0"
              set dstaddr "10.1.100.0"
              set schedule "always"
              set service "ALL"    
         next
      end
  2. Configure IPsec VPN for the dialup server FortiGate:

    1. Configure the IPsec phase 1 interface:

      config vpn ipsec phase1-interface
          edit "toClient"
              set type dynamic
              set interface "port8"
              set ike-version 2
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
              set dpd on-idle
              set client-resume enable
              set client-resume-interval 120
              set psksecret *****************
              set dpd-retryinterval 60
          next
      end
    2. Configure the IPsec phase 2 interface:

      config vpn ipsec phase2-interface
          edit "toClient"
              set phase1name "toClient"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    3. Configure the firewall policy:

      config firewall policy
          edit 1
              set srcintf "port2"
              set dstintf "toClient"
              set action accept
              set srcaddr "192.168.5.0"
              set dstaddr "all"
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "toClient"
              set dstintf "port2"
              set action accept
              set srcaddr "all"
              set dstaddr "192.168.5.0"
              set schedule "always"
              set service "ALL"
          next
      end
  3. Check the IPsec phase 1 and phase 2 interface status and the client resume messages:

    1. In the following scenario, the client becomes idle or has connectivity issues but resumes within the set 120 second interval:

      # diagnose debug application ike -1
      ike V=root:0:toClient_0: starting client-resume sleep period 120 sec (1)
      ike V=root:0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=16,vrf=0,len=632....
      ike V=root:0: IKEv2 exchange=SA_INIT id=dfa40e0473d89550/0000000000000000 len=632
      ike V=root:0:toClient_0: client has resumed (1)
      ike 0:toClient_0:10: out 6749C602DDF25B141E24AC649641D2242E2025000000000200000050000000343F9A56C6D16E93E2F5D7BC7F66DC7CBDB3E44EA75F0A87A3238DCC08EE0BF478817EC93DF72EB2B3E027D695FACECF4E
      ike V=root:0:toClient_0:11:toClient:30: sending SNMP tunnel UP trap
      ike V=root:0:toClient_0: tunnel up event
    2. In the following scenario, the client becomes idle or has connectivity issues but the set 120 second interval expires before it resumes. Therefore, the tunnel is not maintained:

      # diagnose debug application ike -1
      ike V=root:0:toClient_0:9: sent IKE msg (RETRANSMIT_INFORMATIONAL): 173.1.1.1:500->11.101.1.1:500, len=80, vrf=0, id=e50861aebc1e5b1a/6457ea1e8512148c, oif=16
      ike V=root:0:toClient_0: link is idle 16 173.1.1.1->11.101.1.1:0 dpd=1 seqno=2 rr=0
      ike V=root:0:toClient_0:9: send IKEv2 DPD probe, seqno 2
      ike V=root:0:toClient_0:9: e50861aebc1e5b1a/6457ea1e8512148c retransmission timeout
      ike V=root:0:toClient_0: starting client-resume sleep period 120 sec (1)
      ike V=root:0:toClient_0: client-resume sleep period has expired (1)
      ike V=root:0:toClient_0: going to be deleted
      ike V=root:0:toClient_0: flushing 
      ike V=root:0:toClient_0: deleting IPsec SA with SPI 30c477cd
      ike V=root:0:toClient_0:toClient: deleted IPsec SA with SPI 30c477cd, SA count: 0
      ike V=toClient_0:0:toClient_0:23: del route 0.0.0.0/0.0.0.0 tunnel 11.101.1.1 oif toClient_0(45) metric 15 priority 1
      ike V=root:0:toClient_0: sending SNMP tunnel DOWN trap for toClient
      ike V=root:0:toClient_0: last dialup SA expired while client sleeping
      ike V=root:0:toClient_0: flushed 

Resuming sessions for IPsec tunnel IKE version 2

Resuming sessions for IPsec tunnel IKE version 2

FortiOS supports session resumptions for IPsec tunnel IKE version 2. This feature enhances the user experience by maintaining the tunnel in an idle state, which allows for uninterrupted usage even after a client resumes from sleep or when connectivity is restored after a disruption. Furthermore, it removes the necessity for re-authentication when reconnecting, making the process more efficient.

config vpn ipsec phase1-interface
    edit <phase 1 name>
        set client-resume enable
        set client-resume-interval {integer length of idle time}
    next
end

Example

In the following example, the client FortiGate will be configured to enable session resumption after returning from an idle state. The resume interval will be set as 120 seconds and the interface status will be tested when the client resumes within and past this interval.

Note

This example uses a pre-shared key for authentication, although signature authentication can also be used.

To enable session resumption for IPsec tunnel IKE version 2:
  1. Configure IPsec VPN for the dialup client FortiGate:

    1. Configure the IPsec phase 1 interface:

      config vpn ipsec phase1-interface
          edit "toServer"
              set interface "port9"
              set ike-version 2
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
              set dpd on-idle
              set remote-gw 173.1.1.1
              set psksecret *****************
              set dpd-retryinterval 60
          next
      end
    2. Configure the IPsec phase 2 interface:

      config vpn ipsec phase2-interface
          edit "toServer"
              set phase1name "toServer"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    3. Configure the firewall policy:

      config firewall policy
          edit 1
              set srcintf "port2"
              set dstintf "toServer"
              set action accept
              set srcaddr "10.1.100.0"
              set dstaddr "192.168.5.0"
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "toServer"
              set dstintf "port2"
              set action accept
              set srcaddr "192.168.5.0"
              set dstaddr "10.1.100.0"
              set schedule "always"
              set service "ALL"    
         next
      end
  2. Configure IPsec VPN for the dialup server FortiGate:

    1. Configure the IPsec phase 1 interface:

      config vpn ipsec phase1-interface
          edit "toClient"
              set type dynamic
              set interface "port8"
              set ike-version 2
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
              set dpd on-idle
              set client-resume enable
              set client-resume-interval 120
              set psksecret *****************
              set dpd-retryinterval 60
          next
      end
    2. Configure the IPsec phase 2 interface:

      config vpn ipsec phase2-interface
          edit "toClient"
              set phase1name "toClient"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    3. Configure the firewall policy:

      config firewall policy
          edit 1
              set srcintf "port2"
              set dstintf "toClient"
              set action accept
              set srcaddr "192.168.5.0"
              set dstaddr "all"
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set srcintf "toClient"
              set dstintf "port2"
              set action accept
              set srcaddr "all"
              set dstaddr "192.168.5.0"
              set schedule "always"
              set service "ALL"
          next
      end
  3. Check the IPsec phase 1 and phase 2 interface status and the client resume messages:

    1. In the following scenario, the client becomes idle or has connectivity issues but resumes within the set 120 second interval:

      # diagnose debug application ike -1
      ike V=root:0:toClient_0: starting client-resume sleep period 120 sec (1)
      ike V=root:0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=16,vrf=0,len=632....
      ike V=root:0: IKEv2 exchange=SA_INIT id=dfa40e0473d89550/0000000000000000 len=632
      ike V=root:0:toClient_0: client has resumed (1)
      ike 0:toClient_0:10: out 6749C602DDF25B141E24AC649641D2242E2025000000000200000050000000343F9A56C6D16E93E2F5D7BC7F66DC7CBDB3E44EA75F0A87A3238DCC08EE0BF478817EC93DF72EB2B3E027D695FACECF4E
      ike V=root:0:toClient_0:11:toClient:30: sending SNMP tunnel UP trap
      ike V=root:0:toClient_0: tunnel up event
    2. In the following scenario, the client becomes idle or has connectivity issues but the set 120 second interval expires before it resumes. Therefore, the tunnel is not maintained:

      # diagnose debug application ike -1
      ike V=root:0:toClient_0:9: sent IKE msg (RETRANSMIT_INFORMATIONAL): 173.1.1.1:500->11.101.1.1:500, len=80, vrf=0, id=e50861aebc1e5b1a/6457ea1e8512148c, oif=16
      ike V=root:0:toClient_0: link is idle 16 173.1.1.1->11.101.1.1:0 dpd=1 seqno=2 rr=0
      ike V=root:0:toClient_0:9: send IKEv2 DPD probe, seqno 2
      ike V=root:0:toClient_0:9: e50861aebc1e5b1a/6457ea1e8512148c retransmission timeout
      ike V=root:0:toClient_0: starting client-resume sleep period 120 sec (1)
      ike V=root:0:toClient_0: client-resume sleep period has expired (1)
      ike V=root:0:toClient_0: going to be deleted
      ike V=root:0:toClient_0: flushing 
      ike V=root:0:toClient_0: deleting IPsec SA with SPI 30c477cd
      ike V=root:0:toClient_0:toClient: deleted IPsec SA with SPI 30c477cd, SA count: 0
      ike V=toClient_0:0:toClient_0:23: del route 0.0.0.0/0.0.0.0 tunnel 11.101.1.1 oif toClient_0(45) metric 15 priority 1
      ike V=root:0:toClient_0: sending SNMP tunnel DOWN trap for toClient
      ike V=root:0:toClient_0: last dialup SA expired while client sleeping
      ike V=root:0:toClient_0: flushed