SD-WAN Dual Hub (Policy routing with ADVPN over BGP)
- Iñaki Urrutxi
- 19 dic 2021
- 21 Min. de lectura
Hoy vamos a tratar la tecnología de SD-WAN, llevamos un tiempo conviviendo con esta terminología, SD-WAN se traduce como Software-Defined Wide Area Networt , es decir, la gestión y monitorización por software de redes WAN pero una forma sencilla y ágil, sin la intervención del operador. Hay diferentes fabricantes que están implantando esta tecnología, unos tienen ventajas como una implementación muy sencilla en dispositivos específicos pero sin ofrecer servicios de seguridad, nosotros vamos a tratar sobre el el SD-WAN de Fortinet, las ventajas del mismo es que todos sus Fortigates soportan está tecnología por defecto y como dispositivo NGFW en la misma caja, ya tenemos la seguridad para analizar el tráfico que esta pasando por el mismo, además de ser uno de los pocos fabricantes que ha desarrollado un ASIC especifico para SD-WAN en algunos de sus modelos. Podemos meter dentro del SD-WAN todo tipo de interfaces: FTTH, MPLS, 5G, Satélite, etc y aunque no es obligatorio, sí que es conveniente meter más de un enlace dentro de nuestro SD-WAN con diferentes proveedores o por lo menos con diferentes tecnologías.
Como he comentado anteriormente se puede meter dentro del SD-WAN conexiones MPLS, se habla mucho como una de las principales ventajas del SD-WAN es la reducción de costes. Las MPLS nacionales/locales no son conexiones caras y te ofrecen otra serie ventanas sobre las lineas normales de internet, simplicidad, aislamientoo, qos, etc ..no ocurre lo mismo con las MPLSs internacionales, este tipo de conexiones son caras y tiene más sentido sustituirlas por conexiones a Internet más económicas con operadores locales e implantar sobre las mismas SD-WAN.
Fortigate soporta que los spokes estén detrás de un NAT mediante la técnica de UDP Hole punching. En el caso de que el HUB este detrás de un NAT hay que abrir los puertos necesarios en el dispositivo que hace NAT(DNAT) para establecer la VPN.
Implantando SD-WAN podemos encaminar el tráfico WAN y VPN por diferentes enlaces no solo mediante reglas de ip origen, destino y puerto, sino también por grupo de usuarios, aplicación o por servicio de internet. Además podemos generar unos chequeos para saber cuando uno de los interfaces deja de cursar tráfico y poder encaminar el tráfico por otro interfaz e incluso aplicar SLAs al tráfico para en caso de que el interfaz deje de cumplirlos no curse el tráfico por este y automáticamente conmute el tráfico por otro interfaz de que si lo cumpla.
Hay varias algoritmos disponibles para poder decidir a través de que interfaz sacamos el tráfico, ejemplos son de forma manual, por menor coste del interfaz, mejor calidad del interfaz o cumplimiento del SLAs de los interfaces.
La implantación de SD-WAN en Fortigate se basa en 3 funcionalidades:
- SD-WAN (Policy Routing)
- ADVPN
- BGPHay varias formas de implantar este esquema:
- Single HUB
- Dual HUB
- Dual RegionUna anexo dentro de los diferentes esquemas sería el caso en el que el HUB también se implemente SD-WAN
Nosotros trataremos en este blog en esquema de Dual HUB por ser el esquema que ofrece mayor redundancia, en otro blog posterior trataremos el caso de Dual Región, en el cual dos regiones independientes se unen para dar acceso a los spokes de diferentes regiones.
No vamos a detallar toda la configuración solo de aquellas partes que incluyen el SD-WAN, el ADVPN y el BGP.
- HUB1 con SDWAN
El HUB1 es un hub con 2 enlaces que usa SD-WAN, podría ser un en vez de un CPD la sede central donde además de albergar los servidores la sede funciona para salida a Internet.
- INTERFACES
config system interface
edit "wan1"
set vdom "root"
set ip 12.81.206.194 255.255.255.252
set allowaccess ping https ssh
set alias "wan1"
set type physical
set role wan
next
edit "wan2"
set vdom "root"
set ip 12.81.182.98 255.255.255.252
set allowaccess ping https ssh
set type physical
set alias "wan2"
set role wan
next
edit "port5"
set vdom "root"
set ip 10.254.254.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set role lan
next
edit "Gestion"
set vdom "root"
set ip 172.17.1.1 255.255.255.255
set allowaccess ping
set type loopback
set role lan
next
edit "OL_INET2"
set vdom "root"
set ip 10.200.21.10 255.255.255.255
set allowaccess ping
set bfd enable
set type tunnel
set remote-ip 10.200.21.253 255.255.255.0
set interface "wan2"
next
edit "OL_INET1"
set vdom "root"
set ip 10.200.11.10 255.255.255.255
set allowaccess ping
set bfd enable
set type tunnel
set remote-ip 10.200.11.253 255.255.255.0
set interface "wan1"
next
edit "port1"
set vdom "root"
set ip 10.250.250.2 255.255.255.0
set allowaccess ping https ssh
set type physical
set vrrp-virtual-mac enable
config vrrp
edit 1
set vrip 10.250.250.1
set priority 200
set vrdst 8.8.8.8
set vrdst-priority 50
next
end
next
end- ROUTES
Podemos generar una sola ruta estática por el interface SD--WAN, pero en nuestro caso no vamos a usar los interfaces de VPNS para sacar trafico a Internet. Por lo que para simplificar el rutado generamos 2 rutas por defecto con el mismo peso por cada uno de los enlaces WAN.
config router static
edit 1
set gateway 12.81.206.193
set device "wan1"
next
edit 2
set gateway 12.81.182.97
set device "wan2"
next
edit 3
set dst 192.168.0.0 255.255.0.0
set distance 255
set blackhole enable
next
edit 5
set dst 172.17.1.0 255.255.255.0
set distance 255
set blackhole enable
next
end- POLICY ROUTING
config router policy
edit 4
set dst "172.17.1.0/255.255.255.0"
set action deny
set status enable
next
edit 1
set input-device "OL_INET1"
set output-device "OL_INET1"
next
edit 2
set input-device "OL_INET2"
set output-device "OL_INET2"
next
end- SD-WAN
Hemos creado 2 zonas dentro del SD-WAN, la zona Underline se utiliza para los enlaces con salida a Internet, mientras que la zona Overline se usa para los enlaces de VPN, tanto para llegar a los Hubs coma los spokes.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "Overline"
next
edit "Underline"
next
end
config members
edit 2
set interface "wan2"
set zone "Underline"
set gateway 12.81.182.97
next
edit 1
set interface "wan1"
set zone "Underline"
set gateway 12.81.206.193
next
edit 3
set interface "OL_INET1"
set zone "Overline"
next
edit 4
set interface "OL_INET2"
set zone "Overline"
next
end
config health-check
edit "HealthCheckWAN"
set server "8.8.8.8"
set members 1 2
next
edit "HealthCheckSpoke1"
set server "172.17.1.2"
set members 3 4
next
edit "HealthCheckSpoke2"
set server "172.17.1.3"
set members 3 4
next
end
config service
edit 3
set name "VPN"
set dst "Red Spoke"
set src "all"
set priority-members 4 3
next
edit 2
set name "App"
set mode priority
set src "all"
set internet-service enable
set internet-service-app-ctrl 15832 34527 28057
set health-check "HealthCheckWAN"
set priority-members 2 1
set status disable
next
edit 4
set name "clone_App"
set mode priority
set src "all"
set internet-service enable
set internet-service-app-ctrl 16554 17534 15817 16170 38726 41703 41694
set health-check "HealthCheckWAN"
set priority-members 2 1
set status disable
next
edit 1
set name "Default"
set dst "all"
set src "all"
set priority-members 1 2
next
end
end- ADVPN
Cómo se puede ver en el diagrama se genera 2 VPNs dinámicas IKEv2 por cada uno de los enlaces WAN que tenemos en el hub. Los Spokes con 2 interfaces WAN generaran una VPN contra los 2 enlaces WAN del HUB respectivamente.
config vpn ipsec phase1-interface
edit "OL_INET2"
set type dynamic
set interface "wan2"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 21
set tunnel-search nexthop
set ipv4-start-ip 10.200.21.1
set ipv4-end-ip 10.200.21.253
set ipv4-netmask 255.255.255.0
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "OL_INET1"
set type dynamic
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 11
set tunnel-search nexthop
set ipv4-start-ip 10.200.11.1
set ipv4-end-ip 10.200.11.253
set ipv4-netmask 255.255.255.0
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "OL_INET1"
set phase1name "OL_INET1"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
edit "OL_INET2"
set phase1name "OL_INET2"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
end- BGP
Usamos BGP para intercambios los prefijos entre los hubs y los spokes. Los hubs funcionan como reflectores de rutas de los spokes. Generamos route-maps para que el tráfico de VPN de cada OL_INET, es decir del OL_INET1 vaya por el OL_INET1 y el tráfico del OL_INET2 vaya por el OL_INET2, así evitamos el tráfico asimétrico.
- PREFIX
config router prefix-list
edit "NH_INET1"
config rule
edit 1
set prefix 10.200.11.0 255.255.255.0
unset ge
set le 32
next
end
next
edit "NH_LOCAL"
config rule
edit 1
set prefix 0.0.0.0 255.255.255.255
unset ge
unset le
next
end
next
edit "NH_INET2"
config rule
edit 1
set prefix 10.200.21.0 255.255.255.0
unset ge
set le 32
next
end
next
end
- ROUTE-MAP
config router route-map
edit "INET1_OUT"
config rule
edit 1
set match-ip-nexthop "NH_INET1"
next
edit 2
set match-ip-nexthop "NH_LOCAL"
next
edit 100
set action deny
next
end
next
edit "INET2_OUT"
config rule
edit 1
set match-ip-nexthop "NH_INET2"
next
edit 2
set match-ip-nexthop "NH_LOCAL"
next
edit 100
set action deny
next
end
next
end- BGP PEERs
config router bgp
set as 65000
set router-id 10.254.254.1
set keepalive-timer 5
set holdtime-timer 15
set ibgp-multipath enable
set additional-path enable
set scan-time 20
config neighbor-group
edit "OL_INET1"
set advertisement-interval 1
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET1"
set remote-as 65000
set route-map-out "INET1_OUT"
set additional-path send
set route-reflector-client enable
next
edit "OL_INET2"
set advertisement-interval 1
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET2"
set remote-as 65000
set route-map-out "INET1_OUT"
set additional-path send
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.200.11.0 255.255.255.0
set neighbor-group "OL_INET1"
next
edit 2
set prefix 10.200.21.0 255.255.255.0
set neighbor-group "OL_INET2"
next
end
config network
edit 1
set prefix 10.254.254.0 255.255.255.0
next
edit 2
set prefix 10.250.250.0 255.255.255.0
next
edit 3
set prefix 172.17.1.1 255.255.255.255
next
end
end
- POLICIES
Tenemos que generar las políticas para permitir el tráfico entre las diferentes zonas, generamos las políticas para acceso desde los Overline(spokes) a la lan del hub, así como el acceso a la ip de gestión que la usamos como healthcheck. Además generamos una política para que los spokes puedan acceder entre ellos, este tipo de acceso se denominan shortcuts y son vpns al vuelo, cuando se genera tráfico entre los spokes se genera una vpn directa entre los spokes sin pasar por el hub.
config firewall policy
edit 5
set srcintf "Overline"
set dstintf "Overline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 6
set srcintf "Overline"
set dstintf "Gestion"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 7
set srcintf "Gestion"
set dstintf "Overline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 1
set srcintf "port5"
set dstintf "Overline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set name "Internet"
set srcintf "port5"
set dstintf "Underline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 4
set srcintf "Overline"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 8
set srcintf "Overline"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end- HUB2 sin SDWAN
- INTERFACES
config system interface
edit "wan1"
set vdom "root"
set ip 12.81.221.166 255.255.255.252
set allowaccess ping https ssh
set type physical
next
edit "port5"
set vdom "root"
set ip 10.254.253.1 255.255.255.0
set allowaccess ping https ssh
set type switch
set role lan
next
edit "OL_INET1"
set vdom "root"
set ip 10.200.12.10 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.200.12.253 255.255.255.0
set interface "wan1"
next
edit "Gestion-Hub2"
set vdom "root"
set ip 172.17.1.100 255.255.255.255
set allowaccess ping
set type loopback
set role lan
next
edit "OL_INET2"
set vdom "root"
set ip 10.200.22.10 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.200.22.253 255.255.255.0
set interface "wan1"
next
edit "port1"
set vdom "root"
set ip 10.250.250.3 255.255.255.0
set allowaccess ping https ssh
set type physical
set vrrp-virtual-mac enable
config vrrp
edit 1
set vrip 10.250.250.1
set vrdst 8.8.8.8
set vrdst-priority 30
next
end
next
end- ROUTE
config router static
edit 1
set gateway 12.81.221.165
set device "wan1"
next
edit 2
set dst 192.168.0.0 255.255.0.0
set distance 255
set blackhole enable
next
edit 3
set dst 172.17.0.0 255.255.0.0
set distance 255
set blackhole enable
next
end- ZONE
config system zone
edit "Spokes"
set interface "OL_INET2" "OL_INET1"
next
end- ADVPN
config vpn ipsec phase1-interface
edit "OL_INET1"
set type dynamic
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 12
set tunnel-search nexthop
set ipv4-start-ip 10.200.12.1
set ipv4-end-ip 10.200.12.253
set ipv4-netmask 255.255.255.0
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "OL_INET2"
set type dynamic
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 22
set tunnel-search nexthop
set ipv4-start-ip 10.200.22.1
set ipv4-end-ip 10.200.22.253
set ipv4-netmask 255.255.255.0
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "OL_INET1"
set phase1name "OL_INET1"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
edit "OL_INET2"
set phase1name "OL_INET2"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
end- BGP
- PREFIX
config router prefix-list
edit "NH_INET1"
config rule
edit 1
set prefix 10.200.12.0 255.255.255.0
unset ge
set le 32
next
end
next
edit "NH_LOCAL"
config rule
edit 1
set prefix 0.0.0.0 255.255.255.255
unset ge
unset le
next
end
next
edit "NH_INET2"
config rule
edit 1
set prefix 10.200.22.0 255.255.255.0
unset ge
set le 32
next
end
next
end
- ROUTE-MAP
config router route-map
edit "INET1_OUT"
config rule
edit 1
set match-ip-nexthop "NH_INET1"
next
edit 2
set match-ip-nexthop "NH_LOCAL"
next
edit 100
set action deny
next
end
next
edit "INET2_OUT"
config rule
edit 1
set match-ip-nexthop "NH_INET2"
next
edit 2
set match-ip-nexthop "NH_LOCAL"
next
edit 100
set action deny
next
end
next
end- PEER
config router bgp
set as 65000
set router-id 10.254.253.1
set keepalive-timer 5
set holdtime-timer 15
set ibgp-multipath enable
set additional-path enable
set scan-time 20
config neighbor-group
edit "OL_INET1"
set advertisement-interval 1
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET1"
set remote-as 65000
set route-map-out "INET1_OUT"
set additional-path send
set route-reflector-client enable
next
edit "OL_INET2"
set advertisement-interval 1
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET2"
set remote-as 65000
set route-map-out "INET2_OUT"
set additional-path send
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.200.12.0 255.255.255.0
set neighbor-group "OL_INET1"
next
edit 2
set prefix 10.200.22.0 255.255.255.0
set neighbor-group "OL_INET2"
next
end
config network
edit 1
set prefix 10.254.253.0 255.255.255.0
next
edit 2
set prefix 10.250.250.0 255.255.255.0
next
edit 3
set prefix 172.17.1.100 255.255.255.255
next
end
end- POLICIES
config firewall policy
edit 1
set name "Internet"
set srcintf "port5"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set srcintf "port5"
set dstintf "Spokes"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set srcintf "Spokes"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 5
set srcintf "Spokes"
set dstintf "Gestion-Hub2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 6
set srcintf "Spokes"
set dstintf "Spokes"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 7
set srcintf "Spokes"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end- SPOKE2
- INTERFACES
config system interface
edit "wan1"
set vdom "root"
set ip 12.81.177.34 255.255.255.252
set allowaccess ping https ssh
set type physical
set role wan
next
edit "wan2"
set vdom "root"
set ip 12.81.177.38 255.255.255.252
set allowaccess ping https ssh
set type physical
set role wan
next
edit "lan"
set vdom "root"
set ip 192.168.11.99 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
next
edit "Gestion"
set vdom "root"
set ip 172.17.1.4 255.255.255.255
set allowaccess ping
set type loopback
next
edit "OL_INET1_2"
set vdom "root"
set allowaccess ping
set bfd enable
set type tunnel
set interface "wan2"
next
edit "OL_INET1_1"
set vdom "root"
set allowaccess ping
set bfd enable
set type tunnel
set interface "wan1"
next
edit "OL_INET1_2"
set vdom "root"
set allowaccess ping
set bfd enable
set type tunnel
set interface "wan1"
next
edit "OL_INET2_2"
set vdom "root"
set allowaccess ping
set bfd enable
set type tunnel
set interface "wan2"
next
end- ROUTE
config router static
edit 1
set gateway 12.81.177.33
set device "wan1"
next
edit 2
set gateway 12.81.177.37
set device "wan2"
next
edit 3
set dst 172.17.1.0 255.255.255.0
set distance 255
set blackhole enable
next
edit 4
set dst 10.254.254.0 255.255.255.0
set distance 255
set blackhole enable
next
edit 6
set dst 192.168.0.0 255.255.0.0
set distance 255
set blackhole enable
next
edit 7
set dst 10.254.253.0 255.255.255.0
set distance 255
set blackhole enable
next
edit 0
set dst 10.250.250.0 255.255.255.0
set distance 255
set blackhole enable
next
end- POLICY ROUTING
config router policy
edit 1
set dst "172.17.1.0/255.255.255.0"
set action deny
next
end- SDWAN
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "Underline"
next
edit "Overline"
next
end
config members
edit 1
set interface "wan1"
set zone "Underline"
set gateway 12.81.177.33
next
edit 2
set interface "wan2"
set zone "Underline"
set gateway 12.81.177.37
next
edit 3
set interface "OL_INET1_1"
set zone "Overline"
next
edit 4
set interface "OL_INET2_1"
set zone "Overline"
next
edit 5
set interface "OL_INET1_2"
set zone "Overline"
next
edit 6
set interface "OL_INET2_2"
set zone "Overline"
next
end
config health-check
edit "HealtechCheck8.8.8.8"
set server "8.8.8.8"
set members 1 2
next
edit "HealthCheckVPNHub1"
set server "172.17.1.1"
set members 3 4
next
edit "HealthCheckVPNHub2"
set server "172.17.1.100"
set members 5 6
next
end
config service
edit 4
set name "SPOKES"
set dst "SPOKES"
set priority-members 4 3 5 6
next
edit 3
set name "HUBs"
set dst "HUB1" "HUB2 HUB-port1"
set priority-members 4 3 5 6
next
edit 2
set name "APP"
set mode priority
set src "all"
set internet-service enable
set internet-service-app-ctrl 16001 38131
set health-check "HealtechCheck8.8.8.8"
set priority-members 1 2
set status disable
next
edit 1
set name "Default"
set dst "all"
set src "all"
set priority-members 1 2
next
end
end
- ADVPN
config vpn ipsec phase1-interface
edit "OL_INET1_2"
set interface "wan2"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set network-overlay enable
set network-id 21
set remote-gw 12.81.182.98
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "OL_INET1_1"
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set network-overlay enable
set network-id 11
set remote-gw 12.81.206.194
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "OL_INET1_2"
set interface "wan1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set network-overlay enable
set network-id 12
set remote-gw 12.81.221.166
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "OL_INET2_2"
set interface "wan2"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set network-overlay enable
set network-id 22
set remote-gw 12.81.221.166
set psksecret CLAVE
set dpd-retrycount 2
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "OL_INET1_1"
set phase1name "OL_INET1_1"
set proposal aes256-sha256 aes256gcm
set auto-negotiate enable
set keylifeseconds 1800
next
edit "OL_INET1_2"
set phase1name "OL_INET1_2"
set proposal aes256-sha256 aes256gcm
set auto-negotiate enable
set keylifeseconds 1800
next
edit "OL_INET2_1"
set phase1name "OL_INET2_1"
set proposal aes256-sha256 aes256gcm
set auto-negotiate enable
set keylifeseconds 1800
next
edit "OL_INET2_2"
set phase1name "OL_INET2_2"
set proposal aes256-sha256 aes256gcm
set auto-negotiate enable
set keylifeseconds 1800
next
end-BGP
- BGP PEER
config router bgp
set as 65000
set router-id 192.168.11.99
set keepalive-timer 5
set holdtime-timer 15
set ibgp-multipath enable
set additional-path enable
set scan-time 20
config neighbor
edit "10.200.11.10"
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET1_1"
set remote-as 65000
set connect-timer 1
set additional-path receive
next
edit "10.200.21.10"
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET2_1"
set remote-as 65000
set connect-timer 1
set additional-path receive
next
edit "10.200.12.10"
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET1_2"
set remote-as 65000
set connect-timer 1
set additional-path receive
next
edit "10.200.22.10"
set bfd enable
set soft-reconfiguration enable
set interface "OL_INET2_2"
set remote-as 65000
set connect-timer 1
set additional-path receive
next
end
config network
edit 1
set prefix 192.168.11.0 255.255.255.0
next
edit 2
set prefix 172.17.1.4 255.255.255.255
next
end
end- POLICIES
config firewall policy
edit 1
set srcintf "lan"
set dstintf "Underline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 2
set srcintf "lan"
set dstintf "Overline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set srcintf "Overline"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 4
set srcintf "Gestion"
set dstintf "Overline"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 5
set srcintf "Overline"
set dstintf "Gestion"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end- VRRP
Uso del VRRP para una red que comparten ambos CPDs
Como se puede ver en el diagrama tenemos los 2 hubs conectados por un enlace de nivel2 con el direccionamiento 10.250.250.0/24. Nuestro SD-WAN prioriza los enlaces del HUB1 frente a los del HUB2, para llegara esa red, por lo que podemos usar VRRP para tener el gateway de esa red en el HUb1 mientras este siga vivo, si este CPD cae el gateway se pone como master en el HUB2.
- TROUBLESHOOTING
Analizaremos la información que generan al HUB1 y el SPOKE2 para poder solucionar los problemas que se puedan generar.
- HUB1
get vpn ipsec tunnel summary
'OL_INET1' 12.81.177.34:0 selectors(total,up): 1/1 rx(pkt,err): 12930/0 tx(pkt,err): 28418/0
'OL_INET1' 12.81.209.10:0 selectors(total,up): 1/1 rx(pkt,err): 8834/0 tx(pkt,err): 21520/0
'OL_INET2' 12.81.206.198:0 selectors(total,up): 1/1 rx(pkt,err): 12930/0 tx(pkt,err): 28514/0
'OL_INET2' 12.81.177.38:0 selectors(total,up): 1/1 rx(pkt,err): 12930/0 tx(pkt,err): 28428/0diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=OL_INET1_0 ver=2 serial=4 12.81.206.194:0->12.81.177.34:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/680 options[02a8]=npu search-nexthop rgwy-chg frag-rfc run_state=1 accept_traffic=1 overlay_id=11
parent=OL_INET1 index=0
proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0 ad=s/1
stat: rxp=43906 txp=90640 rxb=5816356 txb=4819001
dpd: mode=on-idle on=1 idle=10000ms retry=2 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OL_INET1_0 proto=0 sa=1 ref=7 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=a27 type=00 soft=0 mtu=1438 expire=171/0B replaywin=1024
seqno=37f2 esn=0 replaywin_lastseq=00003680 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1791/1800
dec: spi=bc3401a8 esp=aes key=32 4d7ccde0e0e4b67535acc0127947ad7f6ac9bfa3a8b46eb8128a6cec7464c41b
ah=sha256 key=32 ec34b6e12e9e3b553018092701146496ca86a6dae3131e16975e4247a4380f97
enc: spi=0d94f444 esp=aes key=32 ee46601f1a0954f66335fd7b68d6ae0e24f3fbed6e435e58da46b01ddc22775e
ah=sha256 key=32 5e680733fc78099c708cf7dae2530967029ad81a76976ee5701d9235449a8a03
dec:pkts/bytes=13952/1851282, enc:pkts/bytes=27632/2481953
npu_flag=03 npu_rgwy=12.81.177.34 npu_lgwy=12.81.206.194 npu_selid=1 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=OL_INET1_1 ver=2 serial=7 12.81.206.194:0->12.81.209.10:0 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/680 options[02a8]=npu search-nexthop rgwy-chg frag-rfc run_state=1 accept_traffic=1 overlay_id=11
parent=OL_INET1 index=1
proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0 ad=s/1
stat: rxp=7810 txp=18158 rxb=1065188 txb=962961
dpd: mode=on-idle on=1 idle=10000ms retry=2 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OL_INET1_0 proto=0 sa=1 ref=7 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=a27 type=00 soft=0 mtu=1438 expire=769/0B replaywin=1024
seqno=26f0 esn=0 replaywin_lastseq=00001e80 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1785/1800
dec: spi=bc3401a9 esp=aes key=32 5363b7159bdff81a73122a20d710f625cf53bad11db74ede95ee491d9177c754
ah=sha256 key=32 e56e73ce627f059a45064062b956557beb62830772966b3577c21f8d2392c53b
enc: spi=16a2ff04 esp=aes key=32 3033b93a2a59e674d465893185930b59943d9cb355b64b6439ef3453144e4534
ah=sha256 key=32 fb1b4db4477f9dc76dc14ae6382c22670e89bfb4aeec94f17c470a319da4d558
dec:pkts/bytes=7810/1065052, enc:pkts/bytes=18158/1590312
npu_flag=03 npu_rgwy=12.81.209.10 npu_lgwy=12.81.206.194 npu_selid=4 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=OL_INET2_0 ver=2 serial=8 12.81.182.98:0->12.81.206.198:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/680 options[02a8]=npu search-nexthop rgwy-chg frag-rfc run_state=1 accept_traffic=1 overlay_id=21
parent=OL_INET2 index=0
proxyid_num=1 child_num=0 refcnt=10 ilast=0 olast=0 ad=s/1
stat: rxp=7810 txp=18408 rxb=1196170 txb=1003716
dpd: mode=on-idle on=1 idle=10000ms retry=2 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OL_INET2_0 proto=0 sa=1 ref=8 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=a27 type=00 soft=0 mtu=1438 expire=774/0B replaywin=1024
seqno=27ea esn=0 replaywin_lastseq=00001e80 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1790/1800
dec: spi=bc3401aa esp=aes key=32 cbc5ddd8e1979d3ac1a876086b0da99f92d4ee757e68e1c5261f23a3b69d4868
ah=sha256 key=32 c66a0a9c9c4ca69d58642866947e010ee9671e68520d8521b08646fcc217dfaf
enc: spi=16a2ff06 esp=aes key=32 c977fc0a2dc22ccbad3434ad427e7fb45524dc0eff21433f93ed2140933cd881
ah=sha256 key=32 6f37f381be89aa7d3427469ac50225472a64cc3f93875b9ec02c154c8bda7386
dec:pkts/bytes=7810/1196034, enc:pkts/bytes=18408/1649070
npu_flag=03 npu_rgwy=12.81.206.198 npu_lgwy=12.81.182.98 npu_selid=5 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=OL_INET2_1 ver=2 serial=5 12.81.182.98:0->12.81.177.38:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/680 options[02a8]=npu search-nexthop rgwy-chg frag-rfc run_state=1 accept_traffic=1 overlay_id=21
parent=OL_INET2 index=1
proxyid_num=1 child_num=0 refcnt=9 ilast=0 olast=0 ad=s/1
stat: rxp=43906 txp=91670 rxb=5816424 txb=4819412
dpd: mode=on-idle on=1 idle=10000ms retry=2 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OL_INET2_0 proto=0 sa=1 ref=7 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=a27 type=00 soft=0 mtu=1438 expire=158/0B replaywin=1024
seqno=3837 esn=0 replaywin_lastseq=00003680 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1785/1800
dec: spi=bc3401a7 esp=aes key=32 6c58131f506cf53babb02e6dd728a506de4cc6fa7e122f9fa3901770f3ff115a
ah=sha256 key=32 211023e2a28b3d703feee0d22355f1c4a2f023275146a6316bc9a2f2820f5084
enc: spi=0d94f443 esp=aes key=32 9649f0dfe4b9041f9bf800469019371035d9da4137b5293a081713d15bfdb61c
ah=sha256 key=32 882e47ebe607acd3995042075850d930bc51ab449b8f1273a1fe463d65c78e52
dec:pkts/bytes=13952/1851382, enc:pkts/bytes=28725/2490056
npu_flag=03 npu_rgwy=12.81.177.38 npu_lgwy=12.81.182.98 npu_selid=2 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=OL_INET1 ver=2 serial=2 12.81.206.194:0->0.0.0.0:0 dst_mtu=0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/552 options[0228]=npu search-nexthop frag-rfc accept_traffic=1 overlay_id=11
proxyid_num=0 child_num=2 refcnt=26 ilast=5223 olast=5223 ad=/0
stat: rxp=67334 txp=143653 rxb=9011558 txb=7555493
dpd: mode=on-idle on=0 idle=10000ms retry=2 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=2
ipv4 route tree:
10.200.11.1 0
10.200.11.2 1
12.81.177.34 0
12.81.209.10 1
------------------------------------------------------
name=OL_INET2 ver=2 serial=1 12.81.182.98:0->0.0.0.0:0 dst_mtu=0
bound_if=7 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/552 options[0228]=npu search-nexthop frag-rfc accept_traffic=1 overlay_id=21
proxyid_num=0 child_num=2 refcnt=27 ilast=5223 olast=5223 ad=/0
stat: rxp=71430 txp=152978 rxb=9666950 txb=8054736
dpd: mode=on-idle on=0 idle=10000ms retry=2 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=2
ipv4 route tree:
10.200.21.1 0
10.200.21.2 1
12.81.177.38 1
12.81.206.198 0get router info bgp sum
VRF 0 BGP router identifier 10.254.254.1, local AS number 65000
BGP table version is 7
1 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 10 seconds
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.200.11.1 4 65000 270 269 6 0 0 00:19:31 2
10.200.11.2 4 65000 173 171 5 0 0 00:12:17 2
10.200.21.1 4 65000 269 271 4 0 0 00:19:40 2
10.200.21.2 4 65000 267 270 6 0 0 00:19:33 2
Total number of neighbors 4get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 12.81.182.97, wan2
[1/0] via 12.81.206.193, wan1
C 10.200.11.0/24 is directly connected, OL_INET1
C 10.200.11.10/32 is directly connected, OL_INET1
C 10.200.21.0/24 is directly connected, OL_INET2
C 10.200.21.10/32 is directly connected, OL_INET2
C 10.250.250.0/24 is directly connected, port1
C 10.250.250.1/32 is directly connected, port1
C 10.254.254.0/24 is directly connected, port5
C 172.17.1.1/32 is directly connected, Gestion
B 172.17.1.2/32 [200/0] via 10.200.11.2, OL_INET1, 00:12:44
[200/0] via 10.200.21.1, OL_INET2, 00:12:44
B 172.17.1.3/32 [200/0] via 10.200.11.1, OL_INET1, 00:19:58
[200/0] via 10.200.21.2, OL_INET2, 00:19:58
B 192.168.1.0/24 [200/0] via 10.200.11.2, OL_INET1, 00:12:44
[200/0] via 10.200.21.1, OL_INET2, 00:12:44
B 192.168.11.0/24 [200/0] via 10.200.11.1, OL_INET1, 00:19:58
[200/0] via 10.200.21.2, OL_INET2, 00:19:58
C 12.81.182.96/30 is directly connected, wan2
C 12.81.206.192/30 is directly connected, wan1HUB2
get vpn ipsec tunnel summary
'OL_INET2' 12.81.177.34:0 selectors(total,up): 1/1 rx(pkt,err): 11522/0 tx(pkt,err): 27227/0
'OL_INET2' 12.81.209.10:0 selectors(total,up): 1/1 rx(pkt,err): 7810/0 tx(pkt,err): 17552/0
'OL_INET1' 12.81.206.198:0 selectors(total,up): 1/1 rx(pkt,err): 9858/0 tx(pkt,err): 23610/0
'OL_INET1' 12.81.177.38:0 selectors(total,up): 1/1 rx(pkt,err): 11523/0 tx(pkt,err): 27214/0get router info bgp sum
VRF 0 BGP router identifier 10.254.253.1, local AS number 65000
BGP table version is 16
1 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 7 seconds
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.200.12.1 4 65000 236 240 15 0 0 00:17:07 2
10.200.12.2 4 65000 50 51 14 0 0 00:03:32 2
10.200.22.1 4 65000 150 155 12 0 0 00:10:54 2
10.200.22.2 4 65000 234 245 15 0 0 00:17:07 2get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 12.81.221.165, wan1
C 10.200.12.0/24 is directly connected, OL_INET1
C 10.200.12.10/32 is directly connected, OL_INET1
C 10.200.22.0/24 is directly connected, OL_INET2
C 10.200.22.10/32 is directly connected, OL_INET2
C 10.250.250.0/24 is directly connected, port1
C 10.254.253.0/24 is directly connected, port5
B 172.17.1.2/32 [200/0] via 10.200.12.2, OL_INET1, 00:00:44
[200/0] via 10.200.22.1, OL_INET2, 00:00:44
B 172.17.1.3/32 [200/0] via 10.200.12.1, OL_INET1, 00:14:20
[200/0] via 10.200.22.2, OL_INET2, 00:14:20
C 172.17.1.100/32 is directly connected, Gestion-Hub2
B 192.168.1.0/24 [200/0] via 10.200.12.2, OL_INET1, 00:00:44
[200/0] via 10.200.22.1, OL_INET2, 00:00:44
B 192.168.11.0/24 [200/0] via 10.200.12.1, OL_INET1, 00:14:20
[200/0] via 10.200.22.2, OL_INET2, 00:14:20
C 12.81.221.164/30 is directly connected, wan1- SPOKE2
diagnose ip address list | grep OL_
IP=10.200.21.2->10.200.21.2/255.255.255.0 index=33 devname=OL_INET1_2
IP=10.200.11.1->10.200.11.1/255.255.255.0 index=34 devname=OL_INET1_1
IP=10.200.12.1->10.200.12.1/255.255.255.0 index=35 devname=OL_INET2_1
IP=10.200.22.2->10.200.22.2/255.255.255.0 index=36 devname=OL_INET2_2
IP=10.200.12.10->10.200.12.253/255.255.255.0 index=37 devname=OL_INET1
IP=10.200.22.10->10.200.22.253/255.255.255.0 index=38 devname=OL_INET2
IP=10.200.21.2->10.200.21.1/255.255.255.255 index=42 devname=OL_INET2_1_0
diagnose ip proute match 192.168.11.99 192.168.1.1 "lan" 1 0-65535
dst=192.168.11.99 src=192.168.1.14 smac=00:00:00:00:00:00 iif=21 protocol=1 dport=0
id=7f000008 type=SDWAN
seq-num=4 diagnose sys sdwan service 4
Service(4): Address Mode(IPV4) flags=0x200
Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Member sub interface(5):
2: seq_num(4), interface(OL_INET1_2):
1: OL_INET2_1_0(43)
Members(5):
1: Seq_num(4 OL_INET2_1_0), alive, selected
2: Seq_num(4 OL_INET1_2), alive, selected
3: Seq_num(3 OL_INET1_1), alive, selected
4: Seq_num(5 OL_INET2_2), alive, selected
5: Seq_num(6 OL_INET2_2), alive, selected
Dst address(1):
192.168.0.0-192.168.255.255diagnose sys sdwan health-check
Health Check(HealtechCheck8.8.8.8):
Seq(1 wan1): state(alive), packet-loss(0.000%) latency(6.965), jitter(0.119) sla_map=0x0
Seq(2 wan2): state(alive), packet-loss(0.000%) latency(7.274), jitter(0.272) sla_map=0x0
Health Check(HelathCheckVPN2):
Seq(3 OL_INET1_1): state(alive), packet-loss(0.000%) latency(0.169), jitter(0.013) sla_map=0x0
Seq(4 OL_INET2_1): state(alive), packet-loss(0.000%) latency(0.154), jitter(0.011) sla_map=0x0
Seq(4 OL_INET2_1_0): state(alive), packet-loss(93.000%) latency(0.173), jitter(0.030) sla_map=0x0
Health Check(HealthCheckVPNhub2):
Seq(5 OL_INET1_2): state(alive), packet-loss(0.000%) latency(0.160), jitter(0.011) sla_map=0x0
Seq(6 OL_INET2_2): state(alive), packet-loss(0.000%) latency(0.162), jitter(0.011) sla_map=0x0 get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 12.81.177.33, wan1
[1/0] via 12.81.177.37, wan2
C 10.200.11.0/24 is directly connected, OL_INET1_1
C 10.200.11.1/32 is directly connected, OL_INET1_1
C 10.200.12.0/24 is directly connected, OL_INET2_1
C 10.200.12.1/32 is directly connected, OL_INET2_1
C 10.200.21.0/24 is directly connected, OL_INET2_1
C 10.200.21.1/32 is directly connected, OL_INET2_1_0
C 10.200.21.2/32 is directly connected, OL_INET2_1
is directly connected, OL_INET2_1_0
C 10.200.22.0/24 is directly connected, OL_INET2_2
C 10.200.22.2/32 is directly connected, OL_INET2_2
B 10.250.250.0/24 [200/0] via 10.200.12.10, OL_INET2_1, 00:04:19
[200/0] via 10.200.22.10, OL_INET2_2, 00:04:19
[200/0] via 10.200.11.10, OL_INET1_1, 00:04:19
[200/0] via 10.200.21.10, OL_INET2_1, 00:04:19
B 10.254.253.0/24 [200/0] via 10.200.12.10, OL_INET2_1, 00:04:19
[200/0] via 10.200.22.10, OL_INET2_2, 00:04:19
B 10.254.254.0/24 [200/0] via 10.200.11.10, OL_INET1_1, 02:12:18
[200/0] via 10.200.21.10, OL_INET2_1, 02:12:18
C 169.254.1.0/24 is directly connected, fortilink
B 172.17.1.1/32 [200/0] via 10.200.11.10, OL_INET1_1, 02:12:18
[200/0] via 10.200.21.10, OL_INET2_1, 02:12:18
B 172.17.1.2/32 [200/0] via 10.200.11.2, OL_INET1_1, 00:04:18
[200/0] via 10.200.12.2, OL_INET2_1, 00:04:18
[200/0] via 10.200.21.1, OL_INET2_1_0, 00:04:18
[200/0] via 10.200.22.1, OL_INET2_2, 00:04:18
C 172.17.1.3/32 is directly connected, Gestion
B 172.17.1.100/32 [200/0] via 10.200.12.10, OL_INET2_1, 00:04:19
[200/0] via 10.200.22.10, OL_INET2_2, 00:04:19
B 192.168.1.0/24 [200/0] via 10.200.11.2, OL_INET1_1, 00:04:18
[200/0] via 10.200.12.2, OL_INET2_1, 00:04:18
[200/0] via 10.200.21.1, OL_INET2_1_0, 00:04:18
[200/0] via 10.200.22.1, OL_INET2_2, 00:04:18
C 192.168.11.0/24 is directly connected, lan
C 12.81.177.32/30 is directly connected, wan1
C 12.81.177.36/30 is directly connected, wan2get router info bgp sum
VRF 0 BGP router identifier 192.168.11.99, local AS number 65000
BGP table version is 5
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.200.11.10 4 65000 1858 1854 3 0 0 02:15:30 6
10.200.12.10 4 65000 1949 1941 4 0 0 00:07:31 6
10.200.21.10 4 65000 1861 1842 2 0 0 02:15:32 6
10.200.22.10 4 65000 1955 1939 1 0 0 02:21:53 6get router info routing-table detail 192.168.1.0/24
Routing table for VRF=0
Routing entry for 192.168.1.0/24
Known via "bgp", distance 200, metric 0, best
Last update 00:00:43 ago
* 10.200.11.2, via OL_INET1_1 distance 0
* 10.200.12.2, via OL_INET1_2 distance 0
* 10.200.21.1, via OL_INET2_1 distance 0
* 10.200.22.1, via OL_INET2_2 distance 0
Routing entry for 192.168.1.0/24
Known via "static", distance 255, metric 0
directly connected, Null distance 0- COMANDOS ÚTILES
- Reiniciar los túneles VPN
diagnose vpn tunnel flush -->ALL
diagnose vpn tunnel flush tunel-name --> Only that túnel - Reiniciar las sesiones BGP
execute router clear BGP all --> Reiniciar el BGP contra todos los vecinos
execute router clear BGP ip/as --> Reiniciar el BGP contra ese vecino o sistema autónomo- BIBLIOGRAFÍA
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39360
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/985659/advpn-and-shortcut-paths
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/856774
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/448665/udp-hole-punching-for-spokes-behind-nat
https://kb.fortinet.com/kb/viewContent.do?externalId=FD41389&sliceId=1 
Comentarios