This article describes an Automation Stitch example configuration to force VPN renegotiation after Link-Monitor failure, where VPN IPsec is a single interface and not part of SD-WAN.
Table of Contents
Scope
VPN IPSec, Link Monitor, FortiGate 7.0.x 7.2.x 7.4.x.
Solution
Requirements.
- VPN Site-to-site Primary and Backup configured, preferably with IP address on IPsec interfaces.
- Source IP for Link-monitor, which can be any local IP.
- Destination IP always available, which can be a remote IPsec IP.
Limitations.
- No SD-WAN configurations for VPN tunnels.
- IPsec VPN must be site-to-site. Dial-up is not supported.
- The log ID may vary depending on firmware version.
Configurations.
config vpn ipsec phase1-interface edit "VPN-Primary" set interface "wan1" set ike-version 2 set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 2 set remote-gw 10.1.1.2 set psksecret ENC **removed*** next end config vpn ipsec phase2-interface edit "VPN-Primary" set phase1name "VPN-Primary" set proposal aes256-sha256 set dhgrp 2 set proposal aes256-sha256 set auto-negotiate enable next end config system interface edit "VPN-Primary" set vdom "root" set ip 10.254.254.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.254.254.2 255.255.255.252 <- The local and remote IPs must belong to the same broadcast domain to avoid static route configuration. set interface "wan" next end config system link-monitor edit "VPN-Pri_Monitor" set srcintf "VPN-Primary" set server "10.254.254.2" <- Destination IP, cloud be remote IPsec interface. set source-ip 192.168.100.1 <- Leave blank to use IPsec local IP or define any other internal IP. set interval 1000 <- Ping every 1 second. set failtime 15 <- 15 seconds threshold. next end diagnose sys link-monitor status VPN-Pri_Monitor Link Monitor: VPN-Pri_Monitor, Status: dead, Server num(1), HA state: local(dead), shared(dead) Flags=0x9 init log_downgateway, Create time: Sun Aug 11 03:22:02 2024 Source interface: VPN-Primary (12) Source IP: 192.168.100.1 Interval: 1000 ms Service-detect: disable Diffservcode: 000000 Class-ID: 0 Peer: 10.254.254.2(10.254.254.2) Source IP(192.168.100.1)set Route: 192.168.100.1->10.254.254.2/32, gwy(10.1.1.2) protocol: ping, state: dead Packet lost: 100.000% Number of out-of-sequence packets: 0set Recovery times(0/5) Fail Times(2/15)set Packet sent: 2711, received: 1151, Sequence(sent/rcvd/exp): 2712/1165/1166
Expected log events for configuring the automation trigger, depending on the FortiOS version :
7.0.x date=2024-08-11 time=02:20:31 eventtime=1723360831389957909 tz="-0500" logid="0100022922" type="event" subtype="system" level="notice" vd="root" logdesc="Link monitor status" name="VPN-Pri_Monitor" interface="VPN-Primary" probeproto="ping" msg="Link Monitor changed state from alive to dead, protocol: ping."
7.2.x or 7.4.x date=2024-08-11 time=09:11:27 eventtime=1723392687691783869 tz="-0700" logid="0100022932" type="event" subtype="system" level="warning" vd="root" logdesc="Link monitor status warning" name="VPN-Pri_Monitor" interface="VPN-Primary" probeproto="ping" msg="Link Monitor changed state from alive to dead, protocol: ping."
config system automation-trigger edit "VPN-PRI_MonitorDown" set event-type event-log set logid 22922 <- [22922 FortiOS 7.0.x] or [22932 FortiOS 7.2.x, 7.4.x]. config fields edit 1 set name "interface" set value "VPN-Primary" next edit 2 set name "msg" set value "Link Monitor changed state from alive to dead, protocol: ping." next end next end config system automation-action edit "Renegotiate_VPN-Primary" set action-type cli-script set script "diagnose vpn ike gateway clear name VPN-Primary" set accprofile "super_admin" next end config system automation-stitch edit "Renegotiate_VPN-Primary" set trigger "VPN-PRI_MonitorDown" config actions edit 1 set action "Renegotiate_VPN-Primary" set delay 10 set required enable next end next end
Results.
Navigate to Security Fabric > Automation > Stitch. Note the trigger count increasing to verify success.
