Redundant hub and spoke VPN

Redundant hub and spoke VPN

This recipe provides sample configuration of hub and spoke IPsec VPN. The following applies for this scenario:

l The spokes have two WAN interfaces and two IPsec VPN tunnels for redundancy. l The secondary VPN tunnel is up only when the primary tunnel is down by dead peer detection.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure redundant hub and spoke VPN using the FortiOS CLI:

  1. Configure the hub:
  2. Configure the WAN, internal interface, and static route:

config system interface edit “port13” set alias “WAN”

set ip 172.16.202.1 255.255.255.0

next edit “port9” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port13”

next end

  1. Configure the IPsec phase1-interface and phase2-interface:

config vpn ipsec phase1-interface edit “hub” set type dynamic set interface “port13” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60

next

end

config vpn ipsec phase2-interface edit “hub” set phase1name “hub”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

next

end

  1. Configure the firewall policy:

config firewall policy

edit 1 set name “spoke-hub” set srcintf “hub” set dstintf “port9” set srcaddr “all” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “spoke-spoke” set srcintf “hub” set dstintf “hub” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the spokes:
  2. Configure the WAN, internal interface, and static route:
  3. Configure Spoke1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

next edit “wan1”

set mode dhcp set distance 10 set priority 100

next edit “dmz”

 

ip 10.1.100.1 255.255.255.0

end

config router static

edit 1 set gateway 172.16.200.2 set device “port1”

next

end

  1. Configure Spoke2:

config system interface edit “wan1” set ip 172.16.200.3 255.255.255.0

next edit “wan2”

set mode dhcp set distance 10 set priority 100

next edit “lan1” set ip 192.168.4.1 255.255.255.0

next

end

config router static

edit 1 set gateway 172.16.200.2 set device “wan1”

next

end

  1. Configure IPsec phase1-interface and phase2-interface:
  2. Configure Spoke1:

config vpn ipsec phase1-interface edit “primary” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

next

edit “secondary” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set monitor “primary” set psksecret sample

next

end

config vpn ipsec phase2-interface edit “primary” set phase1name “primary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

src-subnet 10.1.100.0 255.255.255.0

edit “secondary” set phase1name “secondary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0

next

end

  1. Configure Spoke2:

config vpn ipsec phase1-interface edit “primary” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

next

edit “secondary” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set monitor “primary” set psksecret sample

next

end

config vpn ipsec phase2-interface edit “primary” set phase1name “primary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

next edit “secondary” set phase1name “secondary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

next

end

  1. Configure the firewall policy:
    1. Configure Spoke1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “primary” “secondary” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always”

service “ALL”

end

  1. Configure Spoke2:

config firewall policy edit 1 set srcintf “lan1” set dstintf “primary” “secondary” set srcaddr “192.168.4.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the static route:
    1. Configure Spoke1:

config router static edit 3 set dst 172.16.101.0 255.255.255.0 set distance 1 set device “primary”

next edit 4 set dst 172.16.101.0 255.255.255.0 set distance 3 set device “secondary”

next

end

  1. Configure Spoke2:

config router static edit 3 set dst 172.16.101.0 255.255.255.0 set distance 1 set device “primary”

next edit 4 set dst 172.16.101.0 255.255.255.0 set distance 3 set device “secondary”

next

end

  1. Run diagnose and get commands:
  2. Run the Spoke1 # diagnose vpn tunnel list command. The system should return the following: name=primary ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0 stat: rxp=1879 txp=1881 rxb=225480 txb=112860

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=primary proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41002/0B replaywin=2048 seqno=758 esn=0 replaywin_lastseq=00000758 itn=0

 

life: type=01 bytes=0/0 timeout=42901/43200 dec: spi=0908732f esp=aes key=16

20770dfe67ea22dd8ec32c44d84ef4d5 ah=sha1 key=20 edc89fc2ec06309ba13de95e7e486f9b795b8707

enc: spi=a1d9eed1 esp=aes key=16 8eeea2526fba062e680d941083c8b5d1 ah=sha1 key=20 f0f5deaf88b2a69046c3154e9f751739b3f411f5

dec:pkts/bytes=1879/112740, enc:pkts/bytes=1879/225480

name=secondary ver=1 serial=2 172.17.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=1892 olast=1892 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=secondary proto=0 sa=0 ref=2 serial=2 auto-negotiate src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  1. Run the Spoke1 # get router info routing-table static command. The system should return the following:

Routing table for VRF=0 …………….

S 172.16.101.0/24 [1/0] is directly connected, primary

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.