Fortinet black logo

Administration Guide

Running speed tests from the hub to the spokes in dial-up IPsec tunnels

In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.

The VPN interfaces and IP addresses are:

FortiGate

Interface

IP Address

FGT_A (Hub)

hub-phase1

10.10.100.254

FGT_B (Spoke)

spoke11-p1

10.10.100.2

FGT_D (Spoke)

spoke21-p1

10.10.100.3

A recurring speed test is configured that runs on the hub over the dial-up interfaces. The speed tests are performed over the underlay interface from the hub to the spoke. Each spoke is configured to operate as a speed test server and to allow the speed test to run on its underlay interface. The spokes establish BGP peering with the hub over the VPN interface, and advertises its loopback network to the hub. The specific configuration is only shown for FGT_B.

When the speed test is running, routing through the VPN overlay can be bypassed, and route maps are used to filter the routes that are advertised to peers. The spoke's route map does not advertise any routes to the peer, forcing the hub to use others paths to reach the spoke's network.

When no speed tests are running, the spoke's route map allows its network to be advertised on the hub.

When the speed test is complete, the measured egress bandwidth is dynamically applied to the VPN tunnel on the hub, and the result is cached for future use, in case the tunnel is disconnected and reconnected again.

To configure the hub FortiGate (FGT_A) as the speed-test client:
  1. Configure a shaping profile:

    config firewall shaping-profile
        edit "profile_1"
            config shaping-entries
                edit 1
                    set class-id 2
                    set priority low
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 10
                next
            end
            set default-class-id 2
        next
    end

    Three classes are used in the profile for low, medium, and high priority traffic. Each class is assigned a guaranteed and maximum bandwidth as a percentage of the measured bandwidth from the speed test.

  2. Configure a shaping policy to assign certain traffic as a class ID:

    In this example, all traffic destined to the dialup tunnels are assigned class 3.

    config firewall shaping-policy
        edit 2
            set service "ALL"
            set schedule "always"
            set dstintf "hub-phase1" "hub2-phase1"
            set class-id 3
            set srcaddr "all"
            set dstaddr "all"
        next
    end
  3. Use the shaping profile in the interface:

    config system interface
        edit "hub-phase1"
            set egress-shaping-profile "profile_1"
        next
    end
  4. Configure a schedule to use for the speed tests:

    config firewall schedule recurring
        edit "speedtest_recurring"
            set start 01:00
            set end 23:00
            set day monday tuesday wednesday thursday friday saturday
        next
    end
  5. Configure the speed test schedule:

    The custom controller port used for authentication is set to 6000, and the custom port used to run the speed tests is set to 7000. The shaping profile is set to local.

    config system speed-test-schedule
        edit "hub-phase1"
            set schedules "speedtest_recurring"
            set dynamic-server enable
            set ctrl-port 6000
            set server-port 7000
            set update-shaper remote
        next
    end
To configure the spoke FortiGates (FGT_B) as a speed test server:
  1. Enable a speed test server with custom speed-test listening ports:

    A speed test server is enabled on the hub. Port 7000 will run speed tests, and port 6000 will be the controller used to issue access tokens for speed test authentication.

    config system global
         set speedtest-server enable
         set speedtestd-ctrl-port 6000
         set speedtestd-server-port 7000
    end
  2. Allow speed tests on the underlay:

    config system interface
        edit "port1"
            append allowaccess speed-test
        next
    end
  3. Allow speed tests on the overlay:

    config system interface                
        edit "hub-spoke11-p1" 
            set allowaccess ping speed-test      
            ...
            set interface "port1"
        next
    end
  4. Configure SD-WAN with bypass routing enabled for speed tests on member spoke11-p1:

    config system sdwan
        set speedtest-bypass-routing enable
        config members
            edit 1
                set interface "spoke11-p1"
            next
        end
        config neighbor
            edit "10.10.100.254"
                set member 1
                set mode speedtest
            next
        end
    end
  5. Configure BGP routing:

    config router route-map
        edit "No_Speed-Test"
            config rule
                edit 1
                    set action permit
                next
            end
        next
        edit "Start_Speed-Test"
            config rule
                edit 1
                    set action deny
                next
            end
        next
    end
    config router bgp
        set as 65412
        config neighbor
            edit "10.10.100.254"
                set remote-as 65412
                set route-map-out "Start_Speed-Test"set route-map-out-preferable "No_Speed-Test"
            next
        end
        config network
            edit 1
                set prefix 2.2.2.2 255.255.255.255
            next
            edit 2
                set prefix 10.1.100.0 255.255.255.0
            next
        end
    end

Results

  1. Before the speed test starts, FGT_A can receive the route from FGT_B by BGP:

    # get router info routing-table bgp
    Routing table for VRF=0
    B       2.2.2.2/32 [200/0] via 10.10.100.2 (recursive via 172.16.200.2, hub-phase1), 00:00:10
    B       10.1.100.0/24 [200/0] via 10.10.100.2 (recursive via 172.16.200.2, hub-phase1), 00:00:10
  2. At the scheduled time, the speed test starts for the hub-phase1 interface from hub to spoke:

    # diagnose test application forticron 9
    Speed test schedules:
        Interface     Server     Update    Up/Down-limit (kbps)                Days        H:M     TOS     Schedule
    ---------------------------------------------------------------------------------------------------------------------------
        hub-phase1    dynamic                                                  1111111    14:41    0x00    speedtest_recurring
    Active schedules:
            64002f: hub-phase1(port1) 172.16.200.2     hub-phase1_1 
            64002e: hub-phase1(port1) 172.16.200.4     hub-phase1_0

    The diagnose debug application speedtest -1 command can be used on both the hub and spokes to check the speed test execution.

  3. While the speed test is running, FGT_A does not receive the route from FGT_B by BGP:

    #  get router info routing-table bgp
    Routing table for VRF=0
  4. Speed tests results can be dynamically applied to the dial-up tunnel for egress traffic shaping:

    # diagnose vpn tunnel list
    ------------------------------------------------------
    name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3     
            class-id=2      allocated-bandwidth=73720(kbps)         guaranteed-bandwidth=73720(kbps)
                            max-bandwidth=73720(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=52
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=221163(kbps)        guaranteed-bandwidth=221162(kbps)
                            max-bandwidth=294883(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=442325(kbps)        guaranteed-bandwidth=147441(kbps)
                            max-bandwidth=442325(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
    ------------------------------------------------------
    name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3  
            class-id=2      allocated-bandwidth=72681(kbps)         guaranteed-bandwidth=72681(kbps)              
                            max-bandwidth=72681(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=123
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=218044(kbps)        guaranteed-bandwidth=218043(kbps)
                            max-bandwidth=290725(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=436087(kbps)        guaranteed-bandwidth=145362(kbps)
                            max-bandwidth=436087(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
  5. Speed test results can be cached, indexed, and written to disk:

    # diagnose test application forticron 10
    Speed test results:
    1: vdom=root, phase1intf=hub-phase1, peer-id='spoke11-p1', bandwidth=737210, last_log=1624226603
    2: vdom=root, phase1intf=hub-phase1, peer-id='spoke21-p1', bandwidth=726813, last_log=1624226614
    
    # diagnose test application forticron 11
    Write 2 logs to disk.
    
    # diagnose test application forticron 12
    load 2 results.

    Disable then reenable the IPsec VPN tunnel and the cached speed test results can be applied to the tunnel again:

    # diagnose vpn tunnel list
    ------------------------------------------------------
    name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
    ------------------------------------------------------
    name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3

In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.

The VPN interfaces and IP addresses are:

FortiGate

Interface

IP Address

FGT_A (Hub)

hub-phase1

10.10.100.254

FGT_B (Spoke)

spoke11-p1

10.10.100.2

FGT_D (Spoke)

spoke21-p1

10.10.100.3

A recurring speed test is configured that runs on the hub over the dial-up interfaces. The speed tests are performed over the underlay interface from the hub to the spoke. Each spoke is configured to operate as a speed test server and to allow the speed test to run on its underlay interface. The spokes establish BGP peering with the hub over the VPN interface, and advertises its loopback network to the hub. The specific configuration is only shown for FGT_B.

When the speed test is running, routing through the VPN overlay can be bypassed, and route maps are used to filter the routes that are advertised to peers. The spoke's route map does not advertise any routes to the peer, forcing the hub to use others paths to reach the spoke's network.

When no speed tests are running, the spoke's route map allows its network to be advertised on the hub.

When the speed test is complete, the measured egress bandwidth is dynamically applied to the VPN tunnel on the hub, and the result is cached for future use, in case the tunnel is disconnected and reconnected again.

To configure the hub FortiGate (FGT_A) as the speed-test client:
  1. Configure a shaping profile:

    config firewall shaping-profile
        edit "profile_1"
            config shaping-entries
                edit 1
                    set class-id 2
                    set priority low
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 10
                next
            end
            set default-class-id 2
        next
    end

    Three classes are used in the profile for low, medium, and high priority traffic. Each class is assigned a guaranteed and maximum bandwidth as a percentage of the measured bandwidth from the speed test.

  2. Configure a shaping policy to assign certain traffic as a class ID:

    In this example, all traffic destined to the dialup tunnels are assigned class 3.

    config firewall shaping-policy
        edit 2
            set service "ALL"
            set schedule "always"
            set dstintf "hub-phase1" "hub2-phase1"
            set class-id 3
            set srcaddr "all"
            set dstaddr "all"
        next
    end
  3. Use the shaping profile in the interface:

    config system interface
        edit "hub-phase1"
            set egress-shaping-profile "profile_1"
        next
    end
  4. Configure a schedule to use for the speed tests:

    config firewall schedule recurring
        edit "speedtest_recurring"
            set start 01:00
            set end 23:00
            set day monday tuesday wednesday thursday friday saturday
        next
    end
  5. Configure the speed test schedule:

    The custom controller port used for authentication is set to 6000, and the custom port used to run the speed tests is set to 7000. The shaping profile is set to local.

    config system speed-test-schedule
        edit "hub-phase1"
            set schedules "speedtest_recurring"
            set dynamic-server enable
            set ctrl-port 6000
            set server-port 7000
            set update-shaper remote
        next
    end
To configure the spoke FortiGates (FGT_B) as a speed test server:
  1. Enable a speed test server with custom speed-test listening ports:

    A speed test server is enabled on the hub. Port 7000 will run speed tests, and port 6000 will be the controller used to issue access tokens for speed test authentication.

    config system global
         set speedtest-server enable
         set speedtestd-ctrl-port 6000
         set speedtestd-server-port 7000
    end
  2. Allow speed tests on the underlay:

    config system interface
        edit "port1"
            append allowaccess speed-test
        next
    end
  3. Allow speed tests on the overlay:

    config system interface                
        edit "hub-spoke11-p1" 
            set allowaccess ping speed-test      
            ...
            set interface "port1"
        next
    end
  4. Configure SD-WAN with bypass routing enabled for speed tests on member spoke11-p1:

    config system sdwan
        set speedtest-bypass-routing enable
        config members
            edit 1
                set interface "spoke11-p1"
            next
        end
        config neighbor
            edit "10.10.100.254"
                set member 1
                set mode speedtest
            next
        end
    end
  5. Configure BGP routing:

    config router route-map
        edit "No_Speed-Test"
            config rule
                edit 1
                    set action permit
                next
            end
        next
        edit "Start_Speed-Test"
            config rule
                edit 1
                    set action deny
                next
            end
        next
    end
    config router bgp
        set as 65412
        config neighbor
            edit "10.10.100.254"
                set remote-as 65412
                set route-map-out "Start_Speed-Test"set route-map-out-preferable "No_Speed-Test"
            next
        end
        config network
            edit 1
                set prefix 2.2.2.2 255.255.255.255
            next
            edit 2
                set prefix 10.1.100.0 255.255.255.0
            next
        end
    end

Results

  1. Before the speed test starts, FGT_A can receive the route from FGT_B by BGP:

    # get router info routing-table bgp
    Routing table for VRF=0
    B       2.2.2.2/32 [200/0] via 10.10.100.2 (recursive via 172.16.200.2, hub-phase1), 00:00:10
    B       10.1.100.0/24 [200/0] via 10.10.100.2 (recursive via 172.16.200.2, hub-phase1), 00:00:10
  2. At the scheduled time, the speed test starts for the hub-phase1 interface from hub to spoke:

    # diagnose test application forticron 9
    Speed test schedules:
        Interface     Server     Update    Up/Down-limit (kbps)                Days        H:M     TOS     Schedule
    ---------------------------------------------------------------------------------------------------------------------------
        hub-phase1    dynamic                                                  1111111    14:41    0x00    speedtest_recurring
    Active schedules:
            64002f: hub-phase1(port1) 172.16.200.2     hub-phase1_1 
            64002e: hub-phase1(port1) 172.16.200.4     hub-phase1_0

    The diagnose debug application speedtest -1 command can be used on both the hub and spokes to check the speed test execution.

  3. While the speed test is running, FGT_A does not receive the route from FGT_B by BGP:

    #  get router info routing-table bgp
    Routing table for VRF=0
  4. Speed tests results can be dynamically applied to the dial-up tunnel for egress traffic shaping:

    # diagnose vpn tunnel list
    ------------------------------------------------------
    name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3     
            class-id=2      allocated-bandwidth=73720(kbps)         guaranteed-bandwidth=73720(kbps)
                            max-bandwidth=73720(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=52
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=221163(kbps)        guaranteed-bandwidth=221162(kbps)
                            max-bandwidth=294883(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=442325(kbps)        guaranteed-bandwidth=147441(kbps)
                            max-bandwidth=442325(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
    ------------------------------------------------------
    name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3  
            class-id=2      allocated-bandwidth=72681(kbps)         guaranteed-bandwidth=72681(kbps)              
                            max-bandwidth=72681(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=123
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=218044(kbps)        guaranteed-bandwidth=218043(kbps)
                            max-bandwidth=290725(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=436087(kbps)        guaranteed-bandwidth=145362(kbps)
                            max-bandwidth=436087(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
  5. Speed test results can be cached, indexed, and written to disk:

    # diagnose test application forticron 10
    Speed test results:
    1: vdom=root, phase1intf=hub-phase1, peer-id='spoke11-p1', bandwidth=737210, last_log=1624226603
    2: vdom=root, phase1intf=hub-phase1, peer-id='spoke21-p1', bandwidth=726813, last_log=1624226614
    
    # diagnose test application forticron 11
    Write 2 logs to disk.
    
    # diagnose test application forticron 12
    load 2 results.

    Disable then reenable the IPsec VPN tunnel and the cached speed test results can be applied to the tunnel again:

    # diagnose vpn tunnel list
    ------------------------------------------------------
    name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
    ------------------------------------------------------
    name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3