New route-based IPsec logic (“set net-device disable”)

Stéphane HAMELIN – Support Engineering Team

© Copyright Fortinet Inc. All rights reserved.

 Latest version of this document is available at:
Change Log https://kb.fortinet.com/kb/documentLink.do?externalID=FD41498

Date Author
2020-10-28 S. Hamelin Added slide for the ip4 route tree
Updated the “Upgrade” slide and added a “Restriction” slide
As of FortiOS 6.4/6.2.2, tunnel overlay IPs can be provisioned with IKE mode-config
As of FortiOS 6.4.3/6.2.6, the tunnel name maximum length is extended
2019-08-23 S. Hamelin As of FortiOS 6.2.0, “net-device” also applies to static phase1
Document renamed from “New IPsec dialup logic” to “New route-based IPsec logic”
2019-04-08 S. Hamelin NATed Spokes are supported with OSPF only as of FortiOS 6.2/6.0.5
IKE route overlap between dialup tunnels is not supported
2018-06-29 S. Hamelin Initial version for Fortinet NSE Xperts Academy event

2
New route-based IPsec logic (‘set net-device disable’)
Overview
IPsec dialup
▪ “net-device” for route-based IPsec dialup tunnels

» As of FortiOS 6.0 & 5.6.3 a new behavior is implemented for routing traffic to
IPsec dialup tunnels
» This behavior is controlled by new CLI settings

Hub configuration

config vpn ipsec phase1-interface route-based

edit toSpokes (aka, interface-mode)
set type dynamic
set net-device { disable* | enable }
set tunnel-search { selectors* | nexthop } New
( ... )
end

4
 IPsec static
▪ “net-device” for route-based IPsec static tunnels

» As of 6.2.0, it allows to define an IPsec tunnel config vpn ipsec phase1-interface

edit <name>
has a member of an IPsec aggregate set type static
set net-device disable
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/779544/ set aggregate-member enable
( ... )
ipsec-aggregate-to-achieve-redundancy-and-traffic-load-balancing end

» As of 6.2.1, similar to dialup IPsec tunnels, it

provides a new behavior for routing traffic
to ADVPN shortcuts config vpn ipsec phase1-interface
edit toAdvpnHub
set type static
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39360 set net-device disable
set tunnel-search { selectors* | nexthop }
( ... )
end

5
Historical IPsec dialup behavior
▪ A dialup tunnel is created for each successful dial-in negotiation
Hub IKE debug

ike 0:Spoke: adding new dynamic tunnel for 198.51.100.4:500

ike 0:Spoke_3: added new dynamic tunnel for 198.51.100.4:500
ike 0:Spoke_3:4: established IKE SA 5dbf5f1070224f9f/19b1a0df8498e2fe

▪ Tunnel name = phase1Name_index

Hub # diag vpn tunnel list name Spoke_3
list ipsec tunnel by names in vd 0
FortiOS 5.6.2

------------------------------------------------------
name=Spoke_3 ver=1 serial=6 198.51.100.1:0->198.51.100.4:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0
parent=Spoke index=3
(...)

6
Historical IPsec dialup behavior (cont.)

▪ A dynamic interface is created for each dialup tunnel

Hub # diag netlink interface list | grep "Spoke_"
if=Spoke_0 family=00 type=768 index=22 mtu=1438 link=16 master=0
if=Spoke_1 family=00 type=768 index=23 mtu=1438 link=16 master=0
if=Spoke_2 family=00 type=768 index=24 mtu=1438 link=16 master=0
if=Spoke_3 family=00 type=768 index=26 mtu=1438 link=16 master=0

▪ Networks accessible over dialup tunnels are bound to the

corresponding tunnel interfaces
Hub # get router info routing-table bgp
B 192.168.2.0/24 [200/0] via 10.10.10.2, Spoke_0, 00:06:08
B 192.168.3.0/24 [200/0] via 10.10.10.3, Spoke_1, 00:06:05
B 192.168.4.0/24 [200/0] via 10.10.10.4, Spoke_3, 00:06:03
B 192.168.5.0/24 [200/0] via 10.10.10.5, Spoke_2, 00:06:04
7
Historical IPsec dialup behavior (cont.)

▪ Packets forwarded to dialup IPsec interface Spoke_3 :

B 192.168.4.0/24 [200/0] via 10.10.10.4, Spoke_3, 00:06:03

» When a cleartext packet is sent to Spoke_3 interface, it is actually sent to

the IPsec engine
» The IPsec engine protects the cleartext packets with the IPsec Security
Association of tunnel Spoke_3

8
Historical IPsec dialup behavior (cont.)

▪ Packets forwarded to dialup IPsec interface Spoke_3 (cont.):

Hub # diag vpn tunnel list name Spoke_3
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=Spoke_3 ver=1 serial=6 198.51.100.1:0->198.51.100.4:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0
parent=Spoke index=3
proxyid_num=1 child_num=0 refcnt=23 ilast=0 olast=0 ad=s/1 itn-status=66
stat: rxp=183 txp=201 rxb=23416 txb=12332
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
FortiOS 5.6.2

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=Spoke proto=0 sa=1 ref=2 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=a26 type=00 soft=0 mtu=1438 expire=42456/0B
replaywin=2048
seqno=ca esn=0 replaywin_lastseq=000000b8 itn=0
life: type=01 bytes=0/0 timeout=43190/43200
dec: spi=a5a66993 esp=aes key=16 ec4c191fd5fc083891b57cfadc1d9516
ah=sha1 key=20 2b190c304452b488c389a1c532f7e32ada965d25
enc: spi=c686831a esp=aes key=16 bd6dc3872321d69154c73fdea0e21e09
ah=sha1 key=20 c5944f9ff812e49d68c99ba2020ad12213553a93
dec:pkts/bytes=183/11222, enc:pkts/bytes=201/25736

» Finally, an IPsec packet (ESP) is sent on the wire

9
New IPsec dialup behavior
▪ Default settings as of 6.0 & 5.6.3:
Hub configuration

config vpn ipsec phase1-interface

edit Spoke
set type dynamic
set net-device disable
set tunnel-search selectors
( ... )
end

▪ Configuration required for dynamic routing over IPsec dialup:

config vpn ipsec phase1-interface
edit Spoke
set tunnel-search nexthop
end
10
New IPsec dialup behavior (cont.)

▪ A dialup tunnel is created for each successful dial-in negotiation

Hub IKE debug

ike 0:Spoke: adding new dynamic tunnel for 198.51.100.4:500

ike 0:Spoke_3: added new dynamic tunnel for 198.51.100.4:500
ike 0:Spoke_3:6: established IKE SA 2514224dd6d96aa2/86d700f4961b14e8

▪ Tunnel name = phase1Name_index

Hub # diag vpn tunnel list name Spoke_3
list ipsec tunnel by names in vd 0
------------------------------------------------------
FortiOS 5.6.4

name=Spoke_3 ver=1 serial=8 198.51.100.1:0->198.51.100.4:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/320
options[0140]=search-nexthop rgwy_chg
parent=Spoke index=3
(...)
11
New IPsec dialup behavior (cont.)

▪ No dynamic interface is created

Hub # diag netlink interface list | grep "Spoke_"

Hub #

» net-device disable means “do not create interfaces (i.e., network devices)”

▪ Networks accessible over dialup tunnels are all bound to the same
shared (phase1) interface
Hub # get router info routing-table bgp
B 192.168.2.0/24 [200/0] via 10.10.10.2, Spoke, 01:04:49
B 192.168.3.0/24 [200/0] via 10.10.10.3, Spoke, 01:04:47
B 192.168.4.0/24 [200/0] via 10.10.10.4, Spoke, 00:35:01
B 192.168.5.0/24 [200/0] via 10.10.10.5, Spoke, 01:04:51
12
New IPsec dialup behavior (cont.)

▪ Packets forwarded to shared interface Spoke

B 192.168.4.0/24 [200/0] via 10.10.10.4, Spoke, 00:35:01

» When a cleartext packet is sent to Spoke, it is sent to the IPsec engine

» The IPsec engine must find out which tunnel’s IPsec Security Association is
to be used for protecting this packet
» The search logic is controlled by this setting:
config vpn ipsec phase1-interface
edit Spoke
set type dynamic
set net-device disable
set tunnel-search { selectors* | nexthop }
( ... )
end
13
New IPsec dialup behavior (cont.)

set tunnel-search selectors

• This the default setting
• To be used when IPsec routes are learned from the Traffic Selectors of the
IPsec SA negotiation
• These routes are called IKE routes (diag vpn ike route list)

• This IPsec routing mechanism is also referred as reverse-route injection

(RRI)

set tunnel-search nexthop

• To be used when IPsec routes are learned from a dynamic routing protocol

14
New IPsec dialup behavior (cont.)

▪ Packets forwarded to shared interface Spoke (cont.):

» The IPsec engine checks the search method associated to Spoke

Hub # diag vpn tunnel list name Spoke
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=Spoke ver=1 serial=1 198.51.100.1:0->0.0.0.0:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/64 options[0040]=search-nexthop
proxyid_num=0 child_num=4 refcnt=26 ilast=4159 olast=4159 ad=/0 itn-status=7b
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=4
ipv4 route tree:
10.10.10.2 2
10.10.10.3 0
10.10.10.4 3
10.10.10.5 1
198.51.100.2 2
198.51.100.3 0
198.51.100.4 3
198.51.100.5 1

15
 New IPsec dialup behavior (cont.)

▪ Packets forwarded to shared interface Spoke (cont.):

» Then it searches the tunnel index associated to next-hop 10.10.10.4

Hub # diag vpn tunnel list name Spoke
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=Spoke ver=1 serial=1 198.51.100.1:0->0.0.0.0:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/64 options[0040]=search-nexthop
proxyid_num=0 child_num=4 refcnt=26 ilast=4159 olast=4159 ad=/0 itn-status=7b
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=4
ipv4 route tree:
10.10.10.2 2
10.10.10.3 0
Next-Hop
10.10.10.4 3 tunnel index → Spoke_3
10.10.10.5 1
198.51.100.2 2
198.51.100.3 0
198.51.100.4 3
198.51.100.5 1

16
New IPsec dialup behavior (cont.)

▪ Packets forwarded to shared interface Spoke (cont.):

» the cleartext packet is protected with the IPsec SA of tunnel Spoke_3

Hub # diag vpn tunnel list name Spoke_3
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=Spoke_3 ver=1 serial=8 198.51.100.1:0->198.51.100.4:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/320 options[0140]=search-nexthop rgwy_chg
parent=Spoke index=3
proxyid_num=1 child_num=0 refcnt=9 ilast=4 olast=4 ad=s/1 itn-status=7b
stat: rxp=5049 txp=5047 rxb=766344 txb=423108
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
FortiOS 5.6.4

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=Spoke proto=0 sa=1 ref=2 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=a26 type=00 soft=0 mtu=1438 expire=43021/0B replaywin=2048
seqno=13b8 esn=0 replaywin_lastseq=000013ba itn=0
life: type=01 bytes=0/0 timeout=43189/43200
dec: spi=b37926ce esp=aes key=16 63bc7bacf80a7b2c1b1494b0987281b3
ah=sha1 key=20 3219e7b18950c93d3dc4a933141e963a8387dfec
enc: spi=aceb1971 esp=aes key=16 850e90ebfa7a3f0b6376128c8433e1d5
ah=sha1 key=20 082539de75376de4ed16486acd96ae0f7d3c88e5
dec:pkts/bytes=5049/423083, enc:pkts/bytes=5047/766232

» Finally, an IPsec packet (ESP) is sent on the wire

17
 New IPsec dialup behavior (cont.)

▪ The IPv4 route tree

» List all overlay next-hop IPs and associated tunnel indexes
» List all underlay IPsec tunnel endpoint IPs and associated tunnel indexes
Hub # diag vpn tunnel list name Spoke The overlay Next-Hops are automatically learned by
list ipsec tunnel by names in vd 0 the Hub during tunnel negotiation due to the Hub &
-------------------------------------------
Spokes being configured with:
name=Spoke ver=1 serial=1 198.51.100.1:0->…
(…truncated…)
run_tally=4 “set exchange-interface-ip enable”
ipv4 route tree:
10.10.10.2 2
or with
Overlay 10.10.10.3 0
Next-Hops 10.10.10.4 3
10.10.10.5 1 tunnel “set auto-discovery-receiver enable” [Spoke]

Underlay
198.51.100.2 2 indexes “set auto-discovery-sender enable” [Hub]
198.51.100.3 0
IPsec 198.51.100.4 3
tunnel or with
198.51.100.5 1
endpoints
“set mode-cfg enable”

18
 Slow-Path (session setup)
HISTORICAL dst-ip = 192.168.4.1 NEW
Dedicated interface Shared interface
per dialer per phase1

net-device enable FIB lookup net-device disable

egress interface = Spoke

egress interface = Spoke_3 Next-Hop = 10.10.10.4

A policy is matched &

a session is created

A policy is matched & tunnel-search

nexthop
a session is created method for Spoke selectors
next-hop 10.10.10.4 is
associated to the tunnel
with index n°3
192.168.4.1 matches the
selectors of the tunnel
with index n°3
Protect cleartext packet
with Spoke_3 s IPsec SA

ESP packet sent to 198.51.100.4

19
Why this new IPsec dialup behavior ?
▪ A major kernel upgrade was done between FortiOS 5.2 and 5.4
» The new kernel provides reduced latency for session processing
which comes with a cost:
▪ interface creation is slower (→ lower tunnel setup rate)
▪ interface deletion is slower (→ lower tunnel tear-down rate)

▪ net-device disable does not create dynamic interface which:

» Provides a tunnel setup/teardown rate close to policy-based VPNs
» Eliminates some complexities or limitations
For e.g.:
▪ Assignment of an IP address to a dynamic interface
▪ Policy-routing towards a dynamic interface
▪ Inheritance of all the parent’s interface settings (MTU, …) by a dynamic interface

20
 IPsec VPN

Site to Site Remote Access

Static phase1 Dialup phase1

set type static As of 3.0 set type dynamic
As of 3.0

Policy-based Route-based / interface-based

config vpn ipsec phase1 config vpn ipsec phase1-interface

Up to 5.4
& 5.6.0/5.6.1/5.6.2
As of 5.6.3 & 6.0

enable set net-device disable

No interface Dedicated interface Shared interface

per dialer per phase1

FortiOS 2.8 3.0 6.0 21

5.6.3
FortiOS dialup interfaces
▪ IPsec and SSL VPNs
FortiOS dialup
tunnel interfaces

IPsec VPN SSL VPN

net-device enable net-device disable

Dedicated interface Shared interface Shared interface

per dialer per phase1 per vdom

22
Upgrade
When upgrading from a FortiOS version which does not have “net-device” setting,
“set net-device enable” is added to all dialup phase1.

This is done to retain the former dialup behavior of creating a dynamic interface for
each dialer.

However, for stability reasons, it is strongly recommended to switch to using the

new dialup behavior with “set net-device disable”.

23
 Restrictions for “net-device disable” with IKE routes
The subnets protected by the
Spokes are learned from the traffic
▪ Up to FortiOS 6.2.0 The Hub can learn a given subnet only once selectors of the IPsec SA negotiation

 Not
Supported HUB
phase1
 Not
Supported HUB
phase1
 Not
Supported
phase1
HUB
phase1

“I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting
192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24”

Spoke-A Spoke-B Spoke-A Spoke-A Spoke-B

▪ As of FortiOS 6.2.1 The Hub can learn a given subnet once per phase1

✓
 Not
Supported HUB
 Not
Supported HUB
phase1
Supported
phase1
HUB
phase1
phase1
“I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting
192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24”

Spoke-A Spoke-B Spoke-A Spoke-A Spoke-B

24
Tunnel name maximum length
▪ Tunnel name = phase1name_index Hub # diag vpn tunnel list name Spoke_3
list ipsec tunnel by names in vd 0
Each dialup tunnel instance has a unique name -----------------------------------------------
made of: name=Spoke_3 ver=1 serial=8 198.51.100.1:0->...
- The name of the phase1 bound_if=4 lgwy=static/1 tun=intf/0 ...
- An arbitrary index parent=Spoke index=3
(...)

▪ Up to 6.4.2/6.2.5, the tunnel name (phase1name_index) limit is 15 characters

» The length of the phase1 name directly influences the maximum number of concurrent tunnels

E.g., with a phase1 name of “spn3-inetBB’ (11-char) only 3-char remains for the index itself thereby limiting
to [0-999] the index range (spn3-inetBB_XXX): the maximum number of concurrent dialup tunnels is limited
to 1000

▪ As of 6.4.3/6.2.6, the tunnel name (phase1name_index) limit is 35 characters

» The phase1 name limit is 15-char
» Followed by “_” and the index for a total length up to 35-char

25
New IPsec dialup logic
With BGP
 Overlay IPs
Overlay IPs of the Spokes (10.10.10.x) can be provisioned in two ways:
.1
192.168.1.0/24
.254
▪ Manually on each Spoke Paris
config system interface config system interface
HUB edit "toSpokes" Spoke edit "toHub" 10.10.10.1
.1
set ip 10.10.10.1/32 set ip 10.10.10.2/32 toSpokes_0 toSpokes_1
set remote-ip 10.10.10.254/24 set remote-ip 10.10.10.1/24
next next
.254
end end

ISP1
▪ Automatically from the Hub using IKE mode-config as of FOS 6.2.2 198.51.100.0/24

config system interface config system interface

HUB Spoke edit "toHub"
overlay
edit "toSpokes" toHub toHub
set ip 10.10.10.1/32 < do not configure an IP here > 10.10.10.0/24
set remote-ip 10.10.10.254/24
next 10.10.10.2 10.10.10.3
end
next
France02 .2 France03 .3
end
config vpn ipsec phase1-interface config vpn ipsec phase1-interface
edit "toSpokes" edit "toHub" .254 .254
set mode-cfg enable set mode-cfg enable
192.168.2.0/24 192.168.3.0/24
set ipv4-start-ip 10.10.10.2 next
end .1 .1
set ipv4-end-ip 10.10.10.253
set ipv4-netmask 255.255.255.0
next
end
27
 Hub IPsec configuration
config vpn ipsec phase1-interface
edit "toSpokes"
net-device disable set type dynamic
.1
Default setting for dialup phase1 as of FortiOS 6.0 & 5.6.3 set net-device disable
192.168.1.0/24
set tunnel-search nexthop
A dedicated interface is no longer created for each dialer Hub set interface "wan"
“toSpokes” is used as a shared interface set proposal aes128-sha1
set add-route disable
10.10.10.1/24
.1 set exchange-interface-ip enable
tunnel-search nexthop toSpokes set auto-discovery-sender enable
set psksecret xxxxxxxx
The next-hop IP of the route matched by a packet is used next
to decide into which tunnel the packet must be sent .254 end

isp1 config vpn ipsec phase2-interface

edit "toSpokes"
In FortiOS 5.6.3 & 5.6.4, net-device and 198.51.100.0/24
set phase1name "toSpokes"
tunnel-search settings cannot be modified set proposal aes128-sha1
after the phase1 was created next
toHub toHub end
This limitation is removed in FortiOS 6.0 10.10.10.2/24 10.10.10.3/24 config system interface
and as of FortiOS 5.6.5 edit "toSpokes"
Spoke02 .2 Spoke03 .3
set ip 10.10.10.1/32
set remote-ip 10.10.10.254/24
add-route disable .254 .254
next
end
Dynamic routing is used for learning
192.168.2.0/24 192.168.3.0/24
the Spokes’ protected subnets
.1 .1

28
 Hub IPsec configuration
config vpn ipsec phase1-interface
edit "toSpokes"
/24 set type dynamic
.1
The overlay IPs of all Hub & Spoke participants are in the same set net-device disable
192.168.1.0/24
set tunnel-search nexthop
subnet Hub set interface "wan"
set proposal aes128-sha1
The mask for the local ip can only be /32 10.10.10.1/24
set add-route disable
.1 set exchange-interface-ip enable
So, the mask for the overlay subnet set auto-discovery-sender enable
must be specified in ‘remote-ip’ toSpokes
set psksecret xxxxxxxx
next
set ip 10.10.10.1/32 .254 end
Set remote-ip 10.10.10.254/24 config vpn ipsec phase2-interface
isp1
edit "toSpokes"
198.51.100.0/24
The remote-ip is an unused IP from the set phase1name "toSpokes"
overlay subnet overlay set proposal aes128-sha1
next
toHub 10.10.10.0/24 toHub end
10.10.10.2/24 10.10.10.3/24 config system interface
edit "toSpokes"
Spoke02 .2 Spoke03 .3
set ip 10.10.10.1/32
set remote-ip 10.10.10.254/24
.254 .254
next
end
192.168.2.0/24 192.168.3.0/24

.1 .1
NEW
29
 Hub IPsec configuration
config vpn ipsec phase1-interface
edit "toSpokes"
auto-discovery-sender enable set type dynamic
.1
set net-device disable
192.168.1.0/24
Required if ADVPN is desired set tunnel-search nexthop
Hub set interface "wan"
set proposal aes128-sha1
Detailed information about ADVPN is available in set add-route disable
KB article FD39360 10.10.10.1/24
.1 set exchange-interface-ip enable
toSpokes set auto-discovery-sender enable
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39360 set psksecret xxxxxxxx
next
.254 end
exchange-interface-ip enable
isp1 config vpn ipsec phase2-interface
edit "toSpokes"
For learning the overlay IPs of the Spokes during IKE negotiation 198.51.100.0/24
set phase1name "toSpokes"
set proposal aes128-sha1
Automatically enabled when ADVPN next
toHub toHub end
is activated with
‘auto-discovery-sender enable’ 10.10.10.2/24 10.10.10.3/24 config system interface
edit "toSpokes"
Spoke02 .2 Spoke03 .3
set ip 10.10.10.1/32
set remote-ip 10.10.10.254/24
.254 .254
next
end
192.168.2.0/24 192.168.3.0/24

.1 .1

30
 Spoke IPsec configuration
config vpn ipsec phase1-interface
edit "toHub"
/24 set interface "wan"
.1
set proposal aes128-sha1
The overlay IPs of all ADVPN participants are in the same 192.168.1.0/24 set exchange-interface-ip enable
subnet Hub set auto-discovery-receiver enable
set add-route disable
set remote-gw 198.51.100.1
The mask for the local ip can only be /32 10.10.10.1 set psksecret xxxxxxxx
.1
So, the mask for the overlay subnet toSpokes next
must be specified in ‘remote-ip’ end

.254 config vpn ipsec phase2-interface

set ip 10.10.10.2/32 edit "toHub"
Set remote-ip 10.10.10.1/24 isp1 set phase1name "toHub"
set proposal aes128-sha1
198.51.100.0/24 next
end
The remote-ip can be any other IP in the overlay overlay
For clarity, the IP of the Hub is used toHub 10.10.10.0/24 toHub config system interface
edit "toHub"
10.10.10.2/24 10.10.10.3 set ip 10.10.10.2/32
Spoke02 .2 Spoke03 .3 set remote-ip 10.10.10.1/24
next
end
.254 .254
NEW
192.168.2.0/24 192.168.3.0/24

.1 .1

31
 Spoke IPsec configuration
config vpn ipsec phase1-interface
auto-discovery-receiver enable edit "toHub"
set interface "wan"
add-route disable .1
set proposal aes128-sha1
192.168.1.0/24 set exchange-interface-ip enable
Required if ADVPN is desired Hub set auto-discovery-receiver enable
set add-route disable
set remote-gw 198.51.100.1
Detailed information about ADVPN is available in 10.10.10.1 set psksecret xxxxxxxx
KB article FD39360 .1
next
toSpokes end
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39360
.254 config vpn ipsec phase2-interface
edit "toHub"
exchange-interface-ip enable isp1 set phase1name "toHub"
set proposal aes128-sha1
198.51.100.0/24 next
Instructs the Spoke to announce its overlay IP (10.10.10.2) end
to the Hub during IKE negotiation.
toHub toHub config system interface
Automatically enabled when ADVPN edit "toHub"
10.10.10.2/24 10.10.10.3 set ip 10.10.10.2/32
is activated
with ‘auto-discovery-sender enable’ Spoke02 .2 Spoke03 .3 set remote-ip 10.10.10.1/24
next
end
.254 .254

192.168.2.0/24 192.168.3.0/24

.1 .1

32
 Hub BGP configuration
config router bgp
set as 65000 .1
set router-id 10.10.10.1 192.168.1.0/24
config neighbor-group Hub BGP Route Reflector
edit "advn_peers"
set remote-as 65000 10.10.10.1
set route-reflector-client enable .1
toSpokes
next
end
config neighbor-range .254
edit 1
set prefix 10.10.10.0 255.255.255.0 iBGP ASisp1
65000 iBGP
198.51.100.0/24
set neighbor-group "advn_peers"
next
end toHub overlay toHub
config network 10.10.10.0/24
10.10.10.2 10.10.10.3
edit 1
set prefix 192.168.1.0 255.255.255.0 Spoke02 .2 Spoke03 .3
next
end
RR-Client RR-Client
.254 .254
end
192.168.2.0/24 192.168.3.0/24

.1 .1

33
 Spoke BGP configuration

.1
192.168.1.0/24
Hub BGP Route Reflector
10.10.10.1
.1
toSpokes

config router bgp .254

set as 65000
set router-id 10.10.10.2 iBGP ASisp1
65000 iBGP
config neighbor 198.51.100.0/24

edit "10.10.10.1"
set remote-as 65000 toHub overlay toHub
next 10.10.10.0/24
end 10.10.10.2 10.10.10.3
config network Spoke02 .2 Spoke03 .3
edit 1
set prefix 192.168.2.0 255.255.255.0 RR-Client RR-Client
next .254 .254
end 192.168.2.0/24 192.168.3.0/24
end
.1 .1

34
New IPsec dialup logic
With OSPF
 Overlay IPs
Overlay IPs of the Spokes (10.10.10.x) can be provisioned in two ways:
.1
192.168.1.0/24
.254
▪ Manually on each Spoke Paris
config system interface config system interface
HUB edit "toSpokes" Spoke edit "toHub" 10.10.10.1
.1
set ip 10.10.10.1/32 set ip 10.10.10.2/32 toSpokes_0 toSpokes_1
set remote-ip 10.10.10.254/24 set remote-ip 10.10.10.1/24
next next
.254
end end

ISP1
▪ Automatically from the Hub using IKE mode-config as of FOS 6.2.2 198.51.100.0/24

config system interface config system interface

HUB Spoke edit "toHub"
overlay
edit "toSpokes" toHub toHub
set ip 10.10.10.1/32 < do not configure an IP here > 10.10.10.0/24
set remote-ip 10.10.10.254/24
next 10.10.10.2 10.10.10.3
end
next
France02 .2 France03 .3
end
config vpn ipsec phase1-interface config vpn ipsec phase1-interface
edit "toSpokes" edit "toHub" .254 .254
set mode-cfg enable set mode-cfg enable
192.168.2.0/24 192.168.3.0/24
set ipv4-start-ip 10.10.10.2 next
end .1 .1
set ipv4-end-ip 10.10.10.253
set ipv4-netmask 255.255.255.0
next
end
36
 Hub OSPF configuration Support for NATed
Spokes available only
config router ospf
as of FortiOS 6.2
set router-id 10.10.10.1
and FortiOS 6.0.5
config area .1
edit 0.0.0.0 192.168.1.0/24
next Hub
end
config ospf-interface 10.10.10.1 Default timers
.1
edit "toSpokes" toSpokes for P2MP:
set interface "toSpokes" OSPF point-to-multipoint Hello = 30 sec
set mtu-ignore enable Dead = 120 sec
.254
set network-type point-to-multipoint
set hello-interval 10
Areaisp1
0.0.0.0
set dead-interval 40 198.51.100.0/24
next
end OSPF point-to-point overlay OSPF point-to-point
config network toHub toHub
10.10.10.0/24
edit 1 10.10.10.2 10.10.10.3
set prefix 10.10.10.0 255.255.255.0
next Spoke02 .2 Spoke03 .3
edit 2
set prefix 192.168.1.0 255.255.255.0 .254 .254
next
end 192.168.2.0/24 192.168.3.0/24
end .1 .1

37
 Spoke OSPF configuration Support for NATed
Spokes available only
as of FortiOS 6.2
.1
and FortiOS 6.0.5
192.168.1.0/24
config router ospf
set router-id 10.10.10.2 Hub
config area
edit 0.0.0.0 10.10.10.1
.1
next toSpokes
end OSPF point-to-multipoint
config ospf-interface
.254
edit "toHub"
set interface "toHub" Areaisp1
0.0.0.0
set network-type point-to-point 198.51.100.0/24
set mtu-ignore enable
next OSPF point-to-point overlay OSPF point-to-point
end toHub toHub
10.10.10.0/24
config network 10.10.10.2 10.10.10.3
edit 1
set prefix 10.10.10.0 255.255.255.0 Spoke02 .2 Spoke03 .3

next
edit 2 .254 .254
set prefix 192.168.2.0 255.255.255.0
192.168.2.0/24 192.168.3.0/24
next
end .1 .1
end
38
New IPsec dialup logic
With IKE routes (a.k.a, reverse-route injection - RRI)
 Restrictions for “net-device disable” with IKE routes
The subnets protected by the
Spokes are learned from the traffic
selectors of the IPsec SA negotiation
▪ Up to FortiOS 6.2.0 The Hub can learn a given subnet only once

 Not
Supported HUB
phase1
 Not
Supported HUB
phase1
 Not
Supported
phase1
HUB
phase1

“I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting
192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24”

Spoke-A Spoke-B Spoke-A Spoke-A Spoke-B

▪ As of FortiOS 6.2.1 The Hub can learn a given subnet once per phase1

✓
 Not
Supported HUB
 Not
Supported HUB
phase1
Supported
phase1
HUB
phase1
phase1
“I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting “I’m protecting
192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24” 192.168.2.0/24”

Spoke-A Spoke-B Spoke-A Spoke-A Spoke-B

40
 Hub IPsec configuration
config vpn ipsec phase1-interface
edit "toSpokes"
add-route enable set type dynamic
.1
set net-device disable
The subnets protected by the Spokes are learned from the 192.168.1.0/24
set tunnel-search selectors
traffic selectors of the IPsec SA negotiation Hub set interface "wan"
set proposal aes128-sha1
These routes are submitted to the routing table manager (RTM) set add-route enable
toSpokes
.1 set psksecret xxxxxxxx
next
end
net-device disable
.254 config vpn ipsec phase2-interface
Default setting for dialup phase1 as of FortiOS 6.0 & 5.6.3 edit "toSpokes"
isp1 set phase1name "toSpokes"
A dedicated interface is no longer created for each dialer set proposal aes128-sha1
“toSpokes” is used as a shared interface 198.51.100.0/24
next
end
tunnel-search selectors
To decide into which tunnel the packet must be sent,
the dst-ip of the packet is checked against toHub toHub
the list of IPsec SA selectors Spoke02 .2 Spoke03 .3

.254 .254

192.168.2.0/24 192.168.3.0/24

.1 .1

41
 Spoke IPsec & routing configuration
src-subnet <protected-subnet> config vpn ipsec phase1-interface
.1
edit "toHub"
The Spoke must announce each protected subnet 192.168.1.0/24
set interface "wan"
during IPsec SA negotiation Hub set proposal aes128-sha1
set remote-gw 198.51.100.1
set psksecret xxxxxxxx
toSpokes
.1 next
end

config vpn ipsec phase2-interface

.254 edit "toHub"
set phase1name "toHub"
isp1 set proposal aes128-sha1
set src-subnet 192.168.2.0/24
198.51.100.0/24
next
end

config router static

edit <id>
toHub toHub set dst 192.168.1.0/24
set device "toHub"
Spoke02 .2 Spoke03 .3 next
end

.254 .254

192.168.2.0/24 192.168.3.0/24 Static route(s) to reach

.1 .1 the Hub’s subnet(s)

42
Spoke IPsec & routing configuration
Announcing multiple protected subnets with IKEv1 Announcing multiple protected subnets with IKEv2

config vpn ipsec phase2-interface config firewall address

edit "net2" edit "internal_net2"
set phase1name "toHub" set subnet 192.168.2.0 255.255.255.0
set proposal aes128-sha1 next
set src-subnet 192.168.2.0/24 edit "internal_net22"
next set subnet 192.168.22.0 255.255.255.0
edit "net22" next
set phase1name "toHub" edit "internal_net222"
set proposal aes128-sha1 set subnet 192.168.222.0 255.255.255.0
set src-subnet 192.168.22.0/24 next
next end
edit "net222"
set phase1name "toHub" config firewall addrgrp
set proposal aes128-sha1 edit "internal_subnets"
set src-subnet 192.168.222.0/24 set member "internal_net2" "internal_net22" "internal_net222"
next next
end end

config vpn ipsec phase2-interface

edit "toHub"
set phase1name "toHub"
set proposal aes128-sha1
set src-addr-type name
set src-name "internal_subnets"
set dst-addr-type name
set dst-name "all"
next
end
43
IKE routes (reverse route injection)
▪ The Hub learns the Spokes’ subnets during IPsec SA negotiation
Hub IKE debug

ike 0: comes 198.51.100.2:500->198.51.100.1:500,ifindex=4....

(...)
ike 0:toSpokes_3:5:7: responder received first quick-mode message
ike 0:toSpokes_3:5:7: peer proposal is: peer:0:192.168.2.0-
192.168.2.255:0, me:0:0.0.0.0-255.255.255.255:0
(...)
ike 0:toSpokes_3:5:toSpokes:7: IPsec SA selectors #src=1 #dst=1
ike 0:toSpokes_3:5:toSpokes:7: src 0 7 0:0.0.0.0-255.255.255.255:0
ike 0:toSpokes_3:5:toSpokes:7: dst 0 7 0:192.168.2.0-192.168.2.255:0
ike 0:toSpokes_3:5:toSpokes:7: add dynamic IPsec SA selectors
ike 0:toSpokes:7: add route 192.168.2.0/255.255.255.0 gw 198.51.100.2
oif toSpokes(16) metric 15 priority 0
(...)

static route Next-Hop is the Spoke’s

is dynamically created tunnel endpoint address
44
 IKE routes (reverse route injection)
▪ Networks accessible over dialup tunnels are all bound to the same
shared (phase1) interface
Hub # get router info routing-table static
S 192.168.2.0/24 [15/0] via 198.51.100.2, toSpokes
S 192.168.3.0/24 [15/0] via 198.51.100.3, toSpokes
S 192.168.4.0/24 [15/0] via 198.51.100.4, toSpokes
S 192.168.5.0/24 [15/0] via 198.51.100.5, toSpokes

static routes The Next-Hop is the tunnel

Spokes’ networks
dynamically endpoint address
created of the corresponding Spoke

IKE routes overlap is not supported with ‘net-device disable’

45
IKE routes (reverse route injection)
▪ Packets forwarded to shared interface toSpokes
S 192.168.2.0/24 [15/0] via 198.51.100.2, toSpokes

» When a cleartext packet is sent to toSpokes, it is sent to the IPsec engine

» The IPsec engine searches for the tunnel index matching the packet’s dst-ip
toSpokes
Hub # diagnose vpn tunnel list name Spoke
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=toSpokes ver=1 serial=1 198.51.100.1:0->0.0.0.0:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/0
proxyid_num=0 child_num=4 refcnt=22 ilast=2940 olast=2940 ad=/0 itn-status=1f
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=4
ipv4 route tree:
192.168.2.0->192.168.2.255 3 tunnel index → toSpokes_3
Spokes’ 192.168.3.0->192.168.3.255 0
selectors 192.168.4.0->192.168.4.255 2
192.168.5.0->192.168.5.255 1

46
IKE routes (reverse route injection)
▪ Packets forwarded to shared interface toSpokes (cont.):

» the cleartext packet is protected with the IPsec SA of tunnel toSpokes_3

Hub # diag vpn tunnel list name toSpokes_3
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=toSpokes_3 ver=1 serial=2 198.51.100.1:0->198.51.100.2:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/256 options[0100]=rgwy_chg
parent=toSpokes index=3
proxyid_num=1 child_num=0 refcnt=7 ilast=0 olast=0 ad=/0 itn-status=1f
stat: rxp=269 txp=269 rxb=40888 txb=22596
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Spoke proto=0 sa=1 ref=2 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:192.168.2.0-192.168.2.255:0
SA: ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=40260/0B replaywin=2048
seqno=10e esn=0 replaywin_lastseq=0000010e itn=0
life: type=01 bytes=0/0 timeout=43190/43200
dec: spi=900ff680 esp=aes key=16 117f19309cc32ef183b7973b6e2f6f4d
ah=sha1 key=20 c54d3053af167264dc24050ff4f1fa82d1993cbb
enc: spi=fd617a96 esp=aes key=16 8921a03db5ee144f4eae94deab321c5d
ah=sha1 key=20 02a6aee085cc3323a799ff643dcdf5760d461158
dec:pkts/bytes=269/22596, enc:pkts/bytes=269/40888

» Finally, an IPsec packet (ESP) is sent on the wire

47