Resuming sessions for IPsec tunnel IKE version 2
FortiOS supports session resumptions for IPsec tunnel IKE version 2. This feature enhances the user experience by maintaining the tunnel in an idle state, which allows for uninterrupted usage even after a client resumes from sleep or when connectivity is restored after a disruption. Furthermore, it removes the necessity for re-authentication when reconnecting, making the process more efficient.
config vpn ipsec phase1-interface edit <phase 1 name> set client-resume enable set client-resume-interval {integer length of idle time} next end
Example
In the following example, the client FortiGate will be configured to enable session resumption after returning from an idle state. The resume interval will be set as 120 seconds and the interface status will be tested when the client resumes within and past this interval.
This example uses a pre-shared key for authentication, although signature authentication can also be used. |
To enable session resumption for IPsec tunnel IKE version 2:
-
Configure IPsec VPN for the dialup client FortiGate:
-
Configure the IPsec phase 1 interface:
config vpn ipsec phase1-interface edit "toServer" set interface "port9" set ike-version 2 set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dpd on-idle set remote-gw 173.1.1.1 set psksecret ***************** set dpd-retryinterval 60 next end
-
Configure the IPsec phase 2 interface:
config vpn ipsec phase2-interface edit "toServer" set phase1name "toServer" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "toServer" set action accept set srcaddr "10.1.100.0" set dstaddr "192.168.5.0" set schedule "always" set service "ALL" next edit 2 set srcintf "toServer" set dstintf "port2" set action accept set srcaddr "192.168.5.0" set dstaddr "10.1.100.0" set schedule "always" set service "ALL" next end
-
-
Configure IPsec VPN for the dialup server FortiGate:
-
Configure the IPsec phase 1 interface:
config vpn ipsec phase1-interface edit "toClient" set type dynamic set interface "port8" set ike-version 2 set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dpd on-idle set client-resume enable set client-resume-interval 120 set psksecret ***************** set dpd-retryinterval 60 next end
-
Configure the IPsec phase 2 interface:
config vpn ipsec phase2-interface edit "toClient" set phase1name "toClient" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "toClient" set action accept set srcaddr "192.168.5.0" set dstaddr "all" set schedule "always" set service "ALL" next edit 2 set srcintf "toClient" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "192.168.5.0" set schedule "always" set service "ALL" next end
-
-
Check the IPsec phase 1 and phase 2 interface status and the client resume messages:
-
In the following scenario, the client becomes idle or has connectivity issues but resumes within the set 120 second interval:
# diagnose debug application ike -1 ike V=root:0:toClient_0: starting client-resume sleep period 120 sec (1) ike V=root:0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=16,vrf=0,len=632.... ike V=root:0: IKEv2 exchange=SA_INIT id=dfa40e0473d89550/0000000000000000 len=632 ike V=root:0:toClient_0: client has resumed (1) ike 0:toClient_0:10: out 6749C602DDF25B141E24AC649641D2242E2025000000000200000050000000343F9A56C6D16E93E2F5D7BC7F66DC7CBDB3E44EA75F0A87A3238DCC08EE0BF478817EC93DF72EB2B3E027D695FACECF4E ike V=root:0:toClient_0:11:toClient:30: sending SNMP tunnel UP trap ike V=root:0:toClient_0: tunnel up event
-
In the following scenario, the client becomes idle or has connectivity issues but the set 120 second interval expires before it resumes. Therefore, the tunnel is not maintained:
# diagnose debug application ike -1 ike V=root:0:toClient_0:9: sent IKE msg (RETRANSMIT_INFORMATIONAL): 173.1.1.1:500->11.101.1.1:500, len=80, vrf=0, id=e50861aebc1e5b1a/6457ea1e8512148c, oif=16 ike V=root:0:toClient_0: link is idle 16 173.1.1.1->11.101.1.1:0 dpd=1 seqno=2 rr=0 ike V=root:0:toClient_0:9: send IKEv2 DPD probe, seqno 2 ike V=root:0:toClient_0:9: e50861aebc1e5b1a/6457ea1e8512148c retransmission timeout ike V=root:0:toClient_0: starting client-resume sleep period 120 sec (1) ike V=root:0:toClient_0: client-resume sleep period has expired (1) ike V=root:0:toClient_0: going to be deleted ike V=root:0:toClient_0: flushing ike V=root:0:toClient_0: deleting IPsec SA with SPI 30c477cd ike V=root:0:toClient_0:toClient: deleted IPsec SA with SPI 30c477cd, SA count: 0 ike V=toClient_0:0:toClient_0:23: del route 0.0.0.0/0.0.0.0 tunnel 11.101.1.1 oif toClient_0(45) metric 15 priority 1 ike V=root:0:toClient_0: sending SNMP tunnel DOWN trap for toClient ike V=root:0:toClient_0: last dialup SA expired while client sleeping ike V=root:0:toClient_0: flushed
-