VyOS to FortiGate site-to-site HA VPN

Created by Yuriy Andamasov, Modified on Thu, 27 Apr, 2023 at 7:27 AM by Aslan Hajiyev

Preface

There are two sites: site A and site B.
Site A has VyOS deployed with two interfaces: eth0 - uplink, eth1 - lan side interface.
Site B has FortiGate deployed with three interfaces: Port1 - WAN Active uplink, Port2 - WAN Backup uplink, Port10 - LAN interface. FortiGate is configured for WAN high availability.

Problem formulation

Requirement to have connectivity between LAN networks via Internet. VPN channel should have strong encryption and be available in case of WAN failover on Site B.

Task solving

For a VPN solution we will choose IPSec VTI as it supports OSPF over itself. Every site will have two VTI interfaces. OSPF will be run on both VTIs and LAN interfaces.

vti1 network - 192.168.255.0/30
vti2 network - 192.168.255.4/30 

Phase 1:

pfs dh-group2
encryption aes256
hash sha256
lifetime 86400

Phase 2:

pfs dh-group2
encryption 3des
hash sha1
lifetime 3600
mode tunnel

Pre-shared keys:

vti1 pre-shared-secret: ike-pass-$vti1
vti2 pre-shared-secret: ike-pass123-vti2

 

FortiGate configuration

# firewall configuration
# allow traffic to pass from LAN to IPSec 
config firewall policy
edit 100
set name "lan-to-ipsec"
set uuid dc9e5a10-a0ad-51e8-0320-709725b60c8f
set srcintf "port10" # lan ports
set dstintf "VyOS-VTI-1" "VyOS-VTI-2"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
set logtraffic all
next
# allow trafic to pass from IPSec to LAN
edit 101
set name "ipsec-to-lan"
set uuid 22867954-a0ae-51e8-90d3-3939541cc2d1
set srcintf "VyOS-VTI-1" "VyOS-VTI-2"
set dstintf "port10"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
set logtraffic all
next
end

# OSPF configuration
# set router-id and single area 0
config router ospf
set router-id 1.1.1.2
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "VyOS-VTI-1"
set interface "VyOS-VTI-1"
set mtu-ignore enable
set network-type point-to-point
next
edit "VyOS-VTI-2"
set interface "VyOS-VTI-2"
set mtu-ignore enable
set network-type point-to-point
next
end
# Set interfaces for OSPF
config network
edit 2
set prefix 192.168.255.0 255.255.255.0
next
edit 3
set prefix 10.10.16.0 255.255.255.0
next
end
end

# Pre-configured part
# WAN interface
config system interface
edit "port1"
set vdom "root"
set ip 50.236.227.227 255.255.255.0
set allowaccess ping ssh http
set type physical
set alias "WAN1"
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 96.93.19.105 255.255.255.0
set allowaccess ping ssh
set type physical
set alias "WAN2"
set snmp-index 2
next
# LAN interface
edit "port10"
set vdom "root"
set ip 10.10.16.1 255.255.255.0
set allowaccess ping
set type physical
set description "LAN"
set alias "LAN"
set snmp-index 10
next
# Create VTI interfaces
edit "VyOS-VTI-1"
set vdom "root"
set ip 192.168.255.2 255.255.255.255
set allowaccess ping https ssh http
set type tunnel
set remote-ip 192.168.255.1 255.255.255.252
set snmp-index 12
set interface "port1"
next
edit "VyOS-VTI-2"
set vdom "root"
set ip 192.168.255.6 255.255.255.255
set allowaccess ping ssh http
set type tunnel
set remote-ip 192.168.255.5 255.255.255.252
set snmp-index 13
set interface "port2"
next
end

# Phase 1 part
config vpn ipsec phase1-interface
edit "VyOS-VTI-1"
set interface "port1"
set peertype any
set proposal aes256-sha256
set dhgrp 2
set remote-gw 199.71.186.5
set psksecret ike-pass-$vti1
next
edit "VyOS-VTI-2"
set interface "port2"
set peertype any
set proposal aes256-sha256
set dhgrp 2
set remote-gw 199.71.186.5
set psksecret ike-pass123-vti2
next
end

# Phase 2 part
config vpn ipsec phase2-interface
edit "VyOS-P2-1"
set phase1name "VyOS-VTI-1"
set proposal 3des-sha1
set dhgrp 2
next
edit "VyOS-P2-2"
set phase1name "VyOS-VTI-2"
set proposal 3des-sha1
set dhgrp 2
next
end

VyOS configuration


# Pre-configured part
# Interfaces
set interfaces ethernet eth0 address 199.71.186.5/24
set interfaces ethernet eth1 address 10.10.15.1/24
set protocols static route 0.0.0.0/0 next-hop 199.71.186.1

# VTI interfaces creating
set interfaces vti vti1 address '192.168.255.1/30'
set interfaces vti vti1 description 'to-fg-isp1'
set interfaces vti vti1 ip ospf 'mtu-ignore'
set interfaces vti vti1 ip ospf network 'point-to-point'
set interfaces vti vti2 address '192.168.255.5/30'
set interfaces vti vti2 description 'to-fg-isp2'
set interfaces vti vti2 ip ospf 'mtu-ignore'

# Adding VTI and LAN interfaces to OSPF
set protocols ospf area 0 network '192.168.255.0/30'
set protocols ospf area 0 network '10.10.15.0/24'
set protocols ospf area 0 network '192.168.255.4/30'

# Phase 2
set vpn ipsec esp-group ESP-FortiGate compression 'disable'
set vpn ipsec esp-group ESP-FortiGate lifetime '3600'
set vpn ipsec esp-group ESP-FortiGate mode 'tunnel'
set vpn ipsec esp-group ESP-FortiGate pfs 'dh-group2'
set vpn ipsec esp-group ESP-FortiGate proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-FortiGate proposal 1 hash 'sha1'

# Phase 1
# dead pear detection
set vpn ipsec ike-group IKE-FortiGate dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-FortiGate dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-FortiGate dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-FortiGate ikev2-reauth 'no'
set vpn ipsec ike-group IKE-FortiGate key-exchange 'ikev1'
set vpn ipsec ike-group IKE-FortiGate lifetime '86400'
set vpn ipsec ike-group IKE-FortiGate proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-FortiGate proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-FortiGate proposal 1 hash 'sha256'
# Select IPSec-interface 
set vpn ipsec ipsec-interfaces interface 'eth0'

# Set peering with FortiGate WAN1
set vpn ipsec site-to-site peer 50.236.227.227 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 50.236.227.227 authentication pre-shared-secret 'ike-pass-$vti1'
set vpn ipsec site-to-site peer 50.236.227.227 connection-type 'initiate'
set vpn ipsec site-to-site peer 50.236.227.227 default-esp-group 'ESP-FortiGate'
set vpn ipsec site-to-site peer 50.236.227.227 ike-group 'IKE-FortiGate'
set vpn ipsec site-to-site peer 50.236.227.227 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 50.236.227.227 local-address '199.71.186.5'
set vpn ipsec site-to-site peer 50.236.227.227 vti bind 'vti1'
set vpn ipsec site-to-site peer 50.236.227.227 vti esp-group 'ESP-FortiGate'

# Set peering with FortiGate WAN2
set vpn ipsec site-to-site peer 96.93.19.105 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 96.93.19.105 authentication pre-shared-secret 'ike-pass123-vti2'
set vpn ipsec site-to-site peer 96.93.19.105 connection-type 'initiate'
set vpn ipsec site-to-site peer 96.93.19.105 default-esp-group 'ESP-FortiGate'
set vpn ipsec site-to-site peer 96.93.19.105 ike-group 'IKE-FortiGate'
set vpn ipsec site-to-site peer 96.93.19.105 local-address '199.71.186.5'
set vpn ipsec site-to-site peer 96.93.19.105 vti bind 'vti2'
set vpn ipsec site-to-site peer 96.93.19.105 vti esp-group 'ESP-FortiGate'

Verify connectivity

# Verify VTI interfaces status
# vti1 is up
vyos@vyos-fortigate-vti:~$ sh int vti
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
vti1             192.168.255.1/30                  u/u  to-fg-isp1
vti2             192.168.255.5/30                  A/D  to-fg-isp2

# From the ipsec sa table we can verify that
# phase 2 SA is up for vti1 and down for vti2
vyos@vyos-fortigate-vti:~$ sh vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
50.236.227.227                          199.71.186.5

Tunnel State Bytes Out/In  Encrypt Hash   NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ----   ----- ------ ------ -----
 vti     up   18.9K/18.9K    3des   sha1   no    3562   3600   all

Peer ID / IP                            Local ID / IP
------------                            -------------
96.93.19.105                            199.71.186.5

Tunnel State Bytes Out/In  Encrypt Hash   NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ----   ----- ------ ------ -----
vti     down   n/a           n/a    n/a    no     0     3600    all

# Check ospf neighborship
# neighbor is up on vti1

vyos@vyos-fortigate-vti:~$ sh ip ospf neighbor

Neighbor Pri State     Dead Time   Address      Interface   
1.1.1.2  1 Full/DROther  39.052s 192.168.255.2 vti1:192.168.255.1

# Verify VyOS has routing entry for remote network
# 10.10.16.0/24 is LAN network on Site B
vyos@vyos-fortigate-vti:~$ sh ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

O   10.10.15.0/24 [110/10] is directly connected, eth1, 02w1d15h
O>* 10.10.16.0/24 [110/11] via 192.168.255.2, vti1, 02w1d14h
O   192.168.255.0/30 [110/10] is directly connected, vti1, 02w1d14h

# Check ip reachability
vyos@vyos-fortigate-vti:~$ ping 10.10.16.1
PING 10.10.16.1 (10.10.16.1) 56(84) bytes of data.
64 bytes from 10.10.16.1: icmp_req=1 ttl=255 time=0.537 ms
64 bytes from 10.10.16.1: icmp_req=2 ttl=255 time=0.494 ms

Verify connectivity after WAN failover on site B

# Check ospf neoghborship
# Site B neighbor is UP on vti2 interface now
vyos@vyos-fortigate-vti:~$ sh ip ospf neighbor

Neighbor Pri  State       Dead Time  Address       Interface     
1.1.1.2   1  Full/DROther  37.405s  192.168.255.6  vti2:192.168.255.5    

# Routing table is updated
# 10.10.16.0/24 prefix now is reachable via vti2
vyos@vyos-fortigate-vti:~$ sh ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

O   10.10.15.0/24 [110/10] is directly connected, eth1, 02w1d16h
O>* 10.10.16.0/24 [110/11] via 192.168.255.6, vti2, 00:01:15
O   192.168.255.0/30 [110/10] is directly connected, vti1, 02w1d15h
O   192.168.255.4/30 [110/10] is directly connected, vti2, 00:01:38

# Ping is successful
vyos@vyos-fortigate-vti:~$ ping 10.10.16.1
PING 10.10.16.1 (10.10.16.1) 56(84) bytes of data.
64 bytes from 10.10.16.1: icmp_req=1 ttl=255 time=0.729 ms
64 bytes from 10.10.16.1: icmp_req=2 ttl=255 time=0.794 ms
^C
--- 10.10.16.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.729/0.761/0.794/0.042 ms

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article