Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPSEC VPN For Active-Active FGT with ELB and ILB #71

Open
HARIS-581 opened this issue Nov 15, 2024 · 2 comments
Open

IPSEC VPN For Active-Active FGT with ELB and ILB #71

HARIS-581 opened this issue Nov 15, 2024 · 2 comments

Comments

@HARIS-581
Copy link

HARIS-581 commented Nov 15, 2024
edited
Loading

We have configured FGT VMs with ELB and ILB . Below is the deployment details

  1. Only Single Public IP attached to ELB.
  2. Inbound Rules on ELB forwarding 4500 and 500 UDP to Back-end FGT port1 IP address. Floating IP Disabled.
chrome_ulRdTrUP3X
  1. ILB Configured with HA Rule for all ports with Floating IP Address.
chrome_DtkeQewLfu
  1. FGSP and Auto Scaling Is configure and enable.d

IPsec Tunnel Behavior:

  • The IPsec tunnel establishes on FGT-A.
  • Traffic from remote sites arrives over the IPsec tunnel to FGT-A and is routed to an internal virtual machine (VM).
  • When the internal VM responds, the traffic is routed via the ILB to FGT-B.
  • Since the tunnel is active only on FGT-A, this routing causes the traffic to be dropped.

- Traffic Initiation from Internal VM:

  • If the internal VM initiates traffic destined for a target VM over the IPsec tunnel and it is routed to FGT-B, the traffic is dropped.

How to resolve this so that return traffic is not dropped by FGT-B ? Disabling Internal Port-2 interface is 1 option but this will be manual and in case of failover it should be enabled back.
@jvhoof
Copy link
Collaborator

jvhoof commented Nov 15, 2024

Hi,

Thank you for opening this issue. If you want to deploy an active/active deployment of FortiGate it is recommended to create 2 VPN tunnels. One tunnel to each FortiGate. There is no way to send traffic from one unit to another for this type of traffic.

If you disable the probe on port 2 all your traffic including your VPN traffic, will be send to the primary FortiGate and you have created a Active/Passive setup.

For VPN tunnel termination most customers select an Active/Passive with ELB/ILB setup. This allows for an easy setup from diverse sources where you don't control the VPN concentrator on the remote site. Traffic will always pass the active firewall and on failover your VPN tunnel will pass to the passive unit who will become active.

A setup with Active/Active is also possible by adding 1 public IP to each FortiGate on a secondary private IP. These will be used to setup your VPN tunnels. We have this type of setup for the FortiGate integrated in Azure Virtual WAN.

Another option is if your traffic is primarily from your branches / remote sites to your Azure environment then you can always SNAT your packets behind the FortiGate handling that session.

What is the reason to deploy with A/A?

Joeri

@HARIS-581
Copy link
Author

But even if we have two IPSEC tunnels, asymmetric routing will still exist; that is, traffic can enter via one tunnel and leave via the other.

Traffic initiation in our environment is two-way, so SNAT will not solve the issue if traffic is initiated from the Azure environment.

Can you provide more details or reference documents for configuration with two IPSEC tunnels?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvhoof @HARIS-581