Forward error correction on VPN overlay networks

This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC can be used to lower packet loss ratio by consuming more bandwidth. It uses six parameters in IPsec phase1/phase1-interface setting.

l fec-ingress. Disabled by default. l fec-egress. Disabled by default. l fec-base. <1-100>. Default=20. l fec-redundant. <1-100>. Default=10. l fec-send-timeout. <1-1000>. Default=8. l fec-receive-timeout.<1-10000>. Default=5000.

For example, a customer has tow ISP connections, wan1 and wan2. Using these two connections, create two IPsec VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by retransmitting the packets using its backend algorithm.

Sample topology

To configure IPsec VPN:

config vpn ipsec phase1-interface edit “vd1-p1” set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000

next edit “vd1-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2

set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000

next

end

config vpn ipsec phase2-interface edit “vd1-p1”

set phase1name “vd1-p1”

next edit “vd1-p2”

set phase1name “vd1-p2”

next

end

To configure the interface:

config system interface

edit “vd1-p1”

set ip 172.16.211.1 255.255.255.255 set remote-ip 172.16.211.2 255.255.255.255

next edit “vd1-p2”

set ip 172.16.212.1 255.255.255.255 set remote-ip 172.16.212.2 255.255.255.255

next

end

To configure the firewall policy:

config firewall policy edit 1

set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end To configure SD-WAN:

config system virtual-wan-link

set status enable config members

edit 1

set interface “vd1-p1” set gateway 172.16.211.2 next

edit 1 set interface “vd2-p2” set gateway 172.16.212.2

next

end

end

To use the diagnose command to check VPN FEC status:

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—————————————————–name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec-egress: base=20 redundant=10 remote_port=50000      <<<<<<<<<<<<<<<<<<<<<< fec-ingress: base=20 redundant=10    <<<<<<<<<<<<<<<<<<<<<< proxyid=demo proto=0 sa=1 ref=2 serial=1

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:173.1.1.0/255.255.255.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42899/43200

dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555 ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4

enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329 ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!