IPSEC VPN For Active-Active FGT with ELB and ILB

[HARIS-581]

We have configured FGT VMs with ELB and ILB . Below is the deployment details

1. Only Single Public IP attached to ELB.
2. Inbound Rules on ELB forwarding 4500 and 500 UDP to Back-end FGT port1 IP address. Floating IP Disabled.

3. ILB Configured with HA Rule for all ports with Floating IP Address.

4. FGSP and Auto Scaling Is configure and enable.d

IPsec Tunnel Behavior:

• The IPsec tunnel establishes on FGT-A.
• Traffic from remote sites arrives over the IPsec tunnel to FGT-A and is routed to an internal virtual machine (VM).
• When the internal VM responds, the traffic is routed via the ILB to FGT-B.
• Since the tunnel is active only on FGT-A, this routing causes the traffic to be dropped.

- Traffic Initiation from Internal VM:

• If the internal VM initiates traffic destined for a target VM over the IPsec tunnel and it is routed to FGT-B, the traffic is dropped.

How to resolve this so that return traffic is not dropped by FGT-B ? Disabling Internal Port-2 interface is 1 option but this will be manual and in case of failover it should be enabled back.

[jvhoof]

Hi,

Thank you for opening this issue. If you want to deploy an active/active deployment of FortiGate it is recommended to create 2 VPN tunnels. One tunnel to each FortiGate. There is no way to send traffic from one unit to another for this type of traffic.

If you disable the probe on port 2 all your traffic including your VPN traffic, will be send to the primary FortiGate and you have created a Active/Passive setup.

For VPN tunnel termination most customers select an Active/Passive with ELB/ILB setup. This allows for an easy setup from diverse sources where you don't control the VPN concentrator on the remote site. Traffic will always pass the active firewall and on failover your VPN tunnel will pass to the passive unit who will become active.

A setup with Active/Active is also possible by adding 1 public IP to each FortiGate on a secondary private IP. These will be used to setup your VPN tunnels. We have this type of setup for the FortiGate integrated in Azure Virtual WAN.

Another option is if your traffic is primarily from your branches / remote sites to your Azure environment then you can always SNAT your packets behind the FortiGate handling that session.

What is the reason to deploy with A/A?

Joeri

[HARIS-581]

But even if we have two IPSEC tunnels, asymmetric routing will still exist; that is, traffic can enter via one tunnel and leave via the other.

Traffic initiation in our environment is two-way, so SNAT will not solve the issue if traffic is initiated from the Azure environment.

Can you provide more details or reference documents for configuration with two IPSEC tunnels?