This article describes an Automation Stitch example configuration to force VPN renegotiation after SLA failure in the SD-WAN environment.
Table of Contents
Scope
SD-WAN, VPN IPSec, FortiGate all OS.
Solution
Configurations
config vpn ipsec phase1-interface edit "VPN-PRI" set interface "port1" set ike-version 2 set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 2 set remote-gw 10.1.1.1 set psksecret **removed*** next end config vpn ipsec phase2-interface edit "VPN-PRI" set phase1name "VPN-PRI" set proposal aes256-sha256 set dhgrp 2 set proposal aes256-sha256 set auto-negotiate enable next end config system interface edit "VPN-PRI" set vdom "root" set ip 10.254.254.2 255.255.255.255 set type tunnel set remote-ip 10.254.254.1 255.255.255.252 <----- The local and remote IPs in the same broadcast domain. set interface "port1" next end config system sdwan set status enable config zone edit "VPN" next end config members edit 3 set interface "VPN-PRI" set zone "VPN" next edit 4 set interface "VPN-PRI" set zone "VPN" next end config health-check edit "SLA01" set server "192.168.100.1" <----- Remote IP always available. set interval 1000 set failtime 10 set recoverytime 10 set members 4 3 next end end
Expected log events for configuring the automation trigger:
date=2024-08-11 time=21:13:05 eventtime=1723428785021493960 tz="-0500" logid="0100022921" type="event" subtype="system" level="critical" vd="root" logdesc="Routing information changed" name="SLA01" interface="VPN-PRI" status="down" msg="Static route on interface VPN-PRI may be removed by health-check SLA01. Route: (10.254.254.1->192.168.200.1 ping-down)" config system automation-trigger edit "VPN-PRI_Down" set event-type event-log set logid 22921 config fields edit 1 set name "interface" set value "VPN-PRI" next edit 2 set name "status" set value "down" next end next end config system automation-action edit "Rekey_VPN-PRI" set action-type cli-script set script "diagnose vpn ike gateway clear name VPN-PRI" set accprofile "super_admin" next end config system automation-stitch edit "Renegotiate_VPN-PRI" set trigger "VPN-PRI_Down" config actions edit 1 set action "Rekey_VPN-PRI" set delay 10 set required enable next end next end
Results:
