Full Redundant VPN Connections FortiOS 5 4 and 5 6

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello welcome everyone whoever's going to be watching this which I doubt anyone will but anyways my name is Devin Adams I am a four Dannette instructor for dww TC here in Tempe Arizona and here in this demo I am going to demonstrate how to get redundant VPN connections now I do these videos as an extension to the classes that I teach so I just shared them here on YouTube because I know there's not that much resources out there anyways this demo goes out to my friend Randy who was wondering alright while in class we had a dual VPN connection solution so in class we had Wayne one way into and on the remote side we had way in one way into and then we had a primary tunnel and then a secondary tunnel well the only problem with in the lab is if one of these connections go down it brings down when one so if when one disappeared over here it bring down one way and when one over here so Randy's question was well isn't there a way that we can get full redundancy in other words ah if when one stays up all the time there shouldn't be a reason to force the other when connections to go down - right and that's what we're gonna try to do here we're gonna try to do a full redundancy instead of just a primary and a backup so we'll have essentially four tunnels on each side so here's la here's New York and let me zoom in a little bit so we can see what's going on here and our goal here is to have this network right here connect to this private network over here across our pseudo LAN interface over here and regardless of which switch I disconnect right we should still get full redundancy all right so now I did copy a couple of shortcuts to the actual cookbooks that demo this from for Dannette itself and they have you go through the custom tunnels to do this while I'm lazy guys I'm not gonna lie and also I apologize that this looks so bad - I'm not really a graphics designer or youtuber anyways but I'm lazier than that so I was wondering you know what can we just use the VPN wizards now I'm not quite sure if this is going to work exactly but I also like to record my failures okay and the reason why is because I think they do a good job also helping us learn about what not to do and sometimes it's just important as what to do so anyways let's go ahead and first start with our PC over here in Los Angeles so here we are and I'm gonna load up the management interface to my local FortiGate here alright and that's gonna be ten dot zero dot one dot two five four there we are and let me log in real quick and let's see what's going on here now on purpose because I was doing it for other demos and also just to make things a little bit more interesting I am using a Wang link load balancer on my network so if I go over here to win link load balancing you'll see that port 1 and port 2 are clustered together alright so and then we have it distributing distributing traffic accordingly so I'm going to show in this demo how that doesn't matter we can still push down VPNs individually and normally we can't do that but using the wizards and everything we can so because once you actually make that one logical interface as you can on let's go ahead and just take a look here real quickly in our IP for policies you'll see it's only being referred to as one port oh that's my DMZ there we go so we pretty much have a LAN 3 or a port 3 is our land or our trust and then the way and link load balance gets subtracted because the link load balancing now if you're in 5/6 that's what they're now calling the software-defined network so or the software-defined Wham so not to get those confused but I'm gonna show that that doesn't really matter alright also if I go ahead and load up another tab and I go to my remote FortiGate and everything in these demos by the way I try to simulate the the classroom lab environment as much as possible if it has a ten dot 200 we're gonna make believe that those are public IP addresses so because we actually utilize the web we can't use real public IP addresses but here we go this is the remote forty gates and there's a couple of things special on this one for starters if you notice the GUI change this is five six now I need to start giving use two five six so I've been forcing myself to use it more a lot more features a lot prettier interface a lot of neat little details here and there that's making that GUI experience just absolutely wonderful so as an example here if I go to my network you say oh we have SD win here right now I did not abstract those out all right on purpose so if we go to static routes here you should see I have to to win connections here for two different ISPs so but what is interesting is I have it in I need a little fanfare proper let's see here high availability so we actually have 240 gates clustered together and that's why in my little topology here it kind of looks like a hot mess right and so because the 40 gates have to connect to the same broadcast domains also the heartbeat links also over here we're gonna see that that doesn't matter it just works and so let me try to bring that back all right so let's go ahead and start so I'm gonna first start with la now remember our goal here is to get full redundancy using IPSec all right so we're gonna build the first tunnel from here to here then here to here and then we're going to build the other two from here to here then here to here and then we're going to go over to the New York side and do the opposite so there should be a total of four on each side so I'm gonna head over to my VPN wizard I'm gonna go to my IPSec tunnels all right I'm gonna hit create new and luckily we're going from four to gate to four to gate so I'm just gonna say to NYC right primary okay no NAT because we're going to public IP address to public IP address and the Gateway is going to be 10.2 hundred 3.1 which is the IP address of this remote forty gate right here okay and then my super secret password that I'm not going to show anyone I just showed everyone right all right and now I'm gonna pick my trust automatically populates the local subnets and then I'm gonna get to the subnet that I'm trying to connect to locally which is the 10.0 - it creates guys that is it not only does it do the firewall policies for us and the inverse it also does the routes for us yeah it's pretty amazing so I'm gonna go ahead and add another tunnel and do that all over again but this time I'm gonna do a two in why see is that how I had it two in YC primary all too many characters I'll have to say prime - all right and once again I'm gonna go to 10.2 hundred dot for this time dot one so in other words I am going to access the secondary is P on this remote FortiGate here okay and then I hit next oh I pretty sure he don't tell anyone now guys honestly I've seen so many times where my BP and tunnels failed when I first configured them nine out of ten times I fat-fingered password because in real life that be long and secure all right here we go man ten oops 10.0 to.com on Devon 2.0 slash 24 there we are it creates wonderful so once again the primary was going from man 1 to this win right here and win one to the secondary win over here now I'm gonna do it once again all over again but this time accessing it through the different ISP this guy right here so here we go so I'm gonna say to NYC backup all right next then 10 dot 200 dots 3.1 do that right no I did not sorry guys but now I'm gonna use way into instead away in one see the difference there password double check my password pretty amazing hit next and once again I'm gonna pop it out and for those that were in class these are for the quick mode selectors that configures alright I'm gonna go ahead and hit creates and then I'm gonna add my last one which will be my my secondary backup so to in come on NYC back to here we go 10200 dot 4.1 all right see how it wants to go out port 1 I'm gonna be like no you know what man 2 is gonna be ok and then I'm gonna say password dope check myself there we go alright and for my quick mode selectors alright wonderful so now we are done with the LA side and as you can see well we have four tunnels alright if I go to my policy and objects go to IP for policies you'll see it made all the policies - now this is kind of a hot mess I'm not gonna lie alright in reality if I was gonna do this in a production network I would probably take the time to create zones for these just so they weren't so congested alright so but like I said I was gonna try to keep it simple with the wizard just kind of has a proof of concept here but then again you know we might be used to seeing a lot of interface pairs anyways there you go it made it for us there and also which is really important is the way that it knows to push it down the tunnel and that is by the static routes so the static routes there we go boom boom boom boom boom doesn't get much easier than that guy so let's go ahead and fly to New York here and now let's do the same on the New York side but going the other direction so ah isn't this cute starting with the newest version of five six it goes you know what your password sucks you should probably change that so thanks for dead now if you're a network security admin and you don't change the default admin blink no password I'm pretty sure you shouldn't need a little reminder popping you up you probably should just go go back being a sysadmin anyways let's keep going forward here so let's go ahead and do the same thing now we're gonna go to VPN IPSec tunnels and I'm just gonna do the wizard all over again but this time in the opposite direction so we'll do the first way in connection first so I'll say to LA primary alright hit next the public IP address of that connection okay even found it for me thanks once again guys we're going right here so we're going from now remember it's clustered so you have to logically think of these as one alright in theory I guess I could just have stacked them on top of each other but that's no fun because I can't see my cool load balancing going on there but anyways so we're going from here to here so let me get that back all right the pre Shirky should match there we go now I'm gonna hit next my win interface look at that look at that man you know Fortinet surprises me every single version of the four TOS that gets updated they just put in like a little bit more details that just I think it's pretty darn cool so let's see here twenty four awesome all right there we go so as you can see we have our interfaces look at that this is new look at that it shows you all the the different phases let's see here local remote look at that black hole route what we're gonna have to check that out later I have no idea what that is off the top of my head let's go ahead and do another and this time we're gonna do to LA prime - all right so this is now the van one going to the way on to on the New York side alright and it has an IP address of 10.2 hundred 2.1 and we'll go ahead and use way and one alright pre Shirky remember double check yourself there we go I'll hit next and we're doing port six and it's going to pop out at 10.0 1.0 24:00 well it create lad another tunnel now we're doing something different now we're doing our second wind connection or our secondary ISP connecting here and then we're gonna do another tunnel going here so let's go ahead and do that alright so we'll say to LA back up next 10200 1.1 but this time I'm gonna force it to go out port 5 remember it's our secondary so here we go password alright good times good times there we go pop out port 6 alright 10 dot 0 dot one dot 0 slash 24 okay excellent we have one more to go so let's go ahead and add another and this is going to be our way into to win two so all right here we go to LA backup to know is there enough characters they're just actually say backup there is that's awesome alright here we go I guess primary was just a little too long but it's gonna be 2.1 and once again we don't want way in 1 we want our win - all right pretty sure key password double check all right looks ok then for our quick mode selectors I love that they put in the additional ones there it's such a nice little touch alright here we go great perfect so let's look at our tunnel list all right excellent so as you can see we have primary prime to backup backup - and then on this side we have their mirrored so now I am not too sure what they meant by black hole so let's go ahead and take a look at our policy and i p4 and we should see the matching pairs okay so there they are that's good all right looks good like I said I'd probably drop those in zones for simplicity and a production Network but not now so let's go to network let's see if I made our static routes Oh interesting so here we are and it looks like in five six it now automatically creates the black hole for you for a VPN tunnel that is pretty cool so we shouldn't need it here at least I'm assuming so let me back up a little bit the black hole route is in case for some reason that VPN tunnel goes down what will happen sometimes is that the the traffic that was continuing out the tunnel does a route look up because the routing table has changed when the VPN tunnel goes down and it'll start pushing it out the default gateway which is not the IPSec tunnel so essentially you get this this off I don't know how to describe it essentially a route lookup error because the VPN tunnel is down it will go ahead and stop pushing it through the VPN tunnel so it starts using the default gateway and essentially it looks at that private IP address that you're trying to go to and just drops it and it breaks a lot of stuff until the sessions timeout so a way around that is to add a black hole route so if the tunnel ever goes down I'll actually click into one of these all right instead of just not having a place for this destination it'll actually route it to null and that's what that black hole is which means the big bucket so what's nice about this is you don't get that that weird push down the default gateway because what happens that the VPN tunnel will come back up right but the tunnel that erroneously is going out the default gateway will still continue to go out the default gateway but here because the administrative distance is so high remember routings like golf essentially this will disappear and replace it with the real VPN tunnel and I'll start routing correctly once it comes back up so I have had to personally use that when I was using monitoring software for my IPSec tunnels I was doing pings down the tunnels and even though my VPNs might flap once in a while might go down they come right back up a few moments later the ping traffic for my monitoring software would just start reporting it being down because I start pushing it out the default gateway so I found out about this black hole to find out that it will go ahead and reroute itself once the tunnel comes back up that is so cool that it does it by default did not mean to go out on a tangent but that is completely new in five six I've never seen that before and so but like I said we have backups here so shouldn't be a problem but let's go ahead and do one more thing until we test it now if you look at the guide and there's two of them there in the comments field or in the little lab I don't know I'm not a youtuber you guys sorry the description in the video it says to set the administrative distance differently according to their priority so it took me a moment to think about this but essentially guys if we have all of these together made by default all right they have the same administration distance and the same priority okay now the FortiGate will normally participate in something called equal cost multi pathing when it has the same distance and priority or the same distance and metric well we don't want these things to pretty much bounce back and forth with each other I mean we could theoretically but we just want one VPN tunnel and then if one goes down the second one will come back up so I'm gonna go ahead and set the administrative distance with the primary being one two three and four and then mirror it on the other side that way the tunnels will force to come back up and force to be removed out of the routing table whenever there is a change so if we did just priority they'd all stay in the routing table and essentially it not to get too much into it but the session table would still be routing those routes that were in the the active routing table if the priorities were different and the administrative distance was the same and it wouldn't force those tunnels to do a relook up once the tunnel went down so hold that made sense if not leave a comment take my class email me I'll explain it a little better later so but this video is already getting a little too long so here we go so I set the primary two to the primary second the primary two one the primary second to two and like I said it was in the cookbook that it was showing us to do this but not really explaining why it was important and it's because of those those lookups so we want to keep be the if I go down here to monitor and I go to my routing monitor right I want to keep only one VPN tunnel in there at a time I do not want a bunch of them in there all right and as you can see the two New York primary has the highest I mean well the lowest administrative distance which is the highest priority so it's in the active routing table blah-blah-blah-blah-blah so there you guys go just as a comparison here I haven't done anything with these guys yet so if I go to monitor and I look at my routing table my routing monitor we have four tunnels to pick from so this porta gates gonna go ping ping ping ping ping ping PPP PPP which is fine right if we kept them both up but we want these things to failover right because maybe our primary LAN connections are nice big thick pipes maybe some fiber connections and then maybe our secondaries are just a little DSL cable modem backup and we only want to use them when we need to so let's go ahead and fix that all right so we're gonna go back to our network back to our static routes and I'm just gonna mirror those so I'm gonna say to LA primary and I'm gonna give it an administrative distance of one all right primary second administration distance of two backup is three and then four now once again the black hole's would probably be necessary if we just had one VPN tunnel but we have redundancies here I'll leave them in there anyways so but they'd all have to go down before these bad boys to start showing up so let's go back to monitor and routing monitor to take a look and as you can see we now just have a single tunnel now if I go to IPSec monitor nothing has happened yet why well we haven't forced any traffic down the way so well let's go ahead and do that so this computer here is in LA so now we're testing it right so I'm gonna do a ping loop so I'll do ping let's see 10 0 to 10 I think that's the name of the PC over there I might have to double check that it should be this guy right here but I can't remember off the top of my head I better I better check that out actually let's take a look alright so here we are in New York once again I want to double check to see what my IP address is because it might not be 10 all right yeah it's probably not ten all right that would that would make sense so let's figure out what that is all right sorry about that it is 101 okay very cool so let's go ahead and go back to LA now it'd be nice if we had the right one so let's do a let's do a 101 now oh look at that beautiful right beautiful it's pushing down the tunnel all is right with the world I can come over here to to my remote one hit refresh we have it up oh so great all right now that's in New York and then also on the local FortiGate if I go to IPSec monitor only one is up oh that's just that's just awesome okay so now here's the thing I'm gonna go ahead and do a ping loop on the other side so remember this guy's in LA let me go ahead and grab New York again all right now the way that these things work is and you witness this in class for those who took my class it takes it takes a moment right for the IP SEC tunnel to actually recognize it being down before it will close the tunnel and those are like the dead peer connectors and things like that now if you're concerned about the amount of time that it takes for it to failover because we're watching it and as we watch it we're paying close attention to it now in real life though we're usually not sitting here gawking at it right so we don't notice if it's gonna be a few moments or not but if you really want that top of the line latency you can play around the Dead Pier detectors you just have to be careful because sometimes traffic will get dropped naturally and you don't want it to be you know bringing down tunnels just because of a little congestion another suggestion that I I still need to try out but I just thought up off the top of my head is to do like health link wanders through the VPN tunnels to maybe get a little bit more of control when it gets removed from the routing table so maybe if I get some for that in classic I can maybe demo or try that out so but but essentially what we got here guys is two pings going in both directions using when one when one so pretty neat swell zippity-doo-dah the real the real trick here is gonna be when something bad happens so once again here - here is where the connection is so I'm gonna right click this bad boy and I'm gonna kill this switch right that switch is now dead alright and it is still pushing out okay it works that well ah let's see here which one was it connected to then to YC primary okay that's different I was expecting it to fail there I mean do you reload here to LA primary alright oh okay - YC primary ok that's that's different I didn't think that would survive that switch being down but it did I'd actually have to do a lookup to see how that was working cuz I expected one of those to go down let's try something else here let's try to bring down ooh let's try to bring down our main primary one in LA that's gonna force some kind of there we go I was gonna say that that would have to force something to to get brutal there we are see the time outs happening now I made it a little a little too resilient there for a moment anyway so we just suffered a a primary primary down and we'll see if it comes back up so now in class it took us a good what would you say ten pings for the dead peer connectors to really all come come across and and figure out that one was down to the other or maybe it just won't work I'm just kidding so in fact while it's actually doing its thing let's go ahead and take a look of what's happening on the FortiGate instead of just staring at these ping loops so I'm gonna go ahead and refresh all right so to NYC primary is still considered up alright nothing else is kicked in yet let's see what's happening at New York let's see if it figured that one out all right well I can still get there so at least my Wang connections still up all right look at that it's oh there it goes oh I caught it did you see that did you see that Oh caught it in the act there we go - NYC backup has now come to life yeah pretty cool huh - LA prime - all right not too bad not too bad at all so and that's a little weird still I'm still trying to figure out how that all works because technically speaking this network right here is is that guy and I'm not too sure how that's gonna work see how it's still timing out mmm slowed this guy back up to I actually have pretty good faith that everything would start kicking up eventually see exactly just how to wait a little bit all right do a little refresher all right si - LA Prime - all right so it's now going to that secondary it took at a moment on the New York side to realize that the primary was actually down right for it to go to the secondary one so we we're actually going from the second way in there and also from the second way in there so we just took a moment for it to kick in so I didn't even need to turn on this switch here but I'll turn everything back back on actually you know what let's just let's just keep rolling with this I'm gonna kill the the secondary here and the primary here and see if it can't converge itself and once again I know for a fact that we can get more intelligence let's see here well that's not what I was doing I lost it we can get more intelligence VPN tunnels converging we would just simply need to do health monitors to do so on that's that's an idea see how we now have to NYC primary backup right this is still pinging yeah it's still pinging even though I've killed let's see here killed the secondary and killed the primary so not too bad there and yeah it's still going on the New York side so not too bad right I know I was kind of kind of doing a sloppy job flopping through that here we are and eventually that will timeout and die so or maybe it won't because going to New York backup I got to think of the directions here alright so bottom line though it stayed up its debut on let's just keep rolling with this and I'm actually going to flip-flop these so we now have the secondary alive over here the secondary live over here okay and then these two guys right here have now been powered off now another thing I should note that's also affecting this is you guys gotta also realizes that these things are actual switches that are booting up so that takes a little bit for it's a to get up and running too so but you see how we have that down and it's like watching paint dry my work so once again just as a review what we did here was create four tunnels on each side so primary two primary primary to secondary and secondary to primary primary to secondary then flipped it going the opposite direction so once those switches power back up right and I'm wondering if I wasn't actually using switches maybe just putting down a down interface this would happen a lot quicker but I wanted to create something a little bit more realistic and in doing the demo because that's the problem with lab environments right when we suffer an outage it isn't just on it isn't just you know us on purpose putting down an interface so we're closing an interface so let's see here let's go ahead and see what's going on maybe we can catch it again the act right so here we go so to NYC back up so that is back up that is back down and then over on the New York side I was expecting it to kick me out okay you can do it buddy which is funny I could just come on you can do it because I could actually just access it from this side oh look at that that's taking a little bit longer than I thought it would and that's me accessing my remote FortiGate publicly which we'd we never have in real life so we just try to go on the New York side and see what's going on here there we go all right ah still down hmm let's take a look huh so here we go let's go to our VPN tunnels so yeah we have a to LA backup - so we do have a tunnel that is up all right now I also don't know if it's just a matter of these guys right here needing to time out let me try that maybe see what's happening on this side no I'm still timing out over here too maybe I have to perfect this a little bit more Oh see just got to be a little more patient so like I said guys that's the only problem that I've really seen with this is that it's not like a quick hey I'm down so and it shouldn't be now that many packet losses maybe that would be extreme I mean that was a good five minutes or something staring here waiting for word to converge but out in the real world I'm not too sure if that would be the case because I'm powering down switches and everything else why do VPN connections go down to begin with you know there's many different variables there from losing an actual LAN interface to maybe traffic just getting so congested that it's getting dropped in the dead Peter connectors keep on kicking on but that should be enough to prove the proof of concept so once again by doing the wizard right four times on each side and then changing the priorities by changing the administrative distance based on how I wanted them to conversion order we can get redundant connections here so if any of my students do watch this and they've had their own personal experience with it working or not working feel free to email me and let me know now or if there's something else you want me to lab up and try let me know because you know in the real world things can act a little bit differently so but that should still be a proof of concept there so and then I don't know if anyone's ever gonna find these things out on the Internet's and actually watch them on YouTube but of course you can comment and I'm not gonna lie I'm not gonna watch them or look for comments I might stumble across them once in a good while but anyways I will go ahead and end it there I hope you guys enjoyed this and it was helpful if it wasn't or a hot mess just let me know I can always rerecord them so well thank you very much and I will see you guys next time

Info

Channel: Devin Adams

Views: 12,219

Rating: undefined out of 5

Keywords: FortiGate, VPN, Redundant, 5.4, 5.6, Mesh, Demo

Id: Gg6-NeCr0o4

Channel Id: undefined

Length: 40min 35sec (2435 seconds)

Published: Thu Feb 22 2018