This article describes the IPsec dialup tunnels with 2 tunnels over 2 ISPs on the Hub flapping between each other when connecting to 2 tunnels over 1 ISP on the Spoke.
Scope
All non-end-of-support FortiGate FortiOS versions.
Solution
Visual Topology:
Configuration is as follow:
Hub:
IPsec Tunnel Interface IP:
Spoke:
IPsec Tunnel Interface IP:
The result of this would be the IPsec tunnels from the perspective of the Spoke, will be flapping between each other:
Running (# diag vpn ike gateway list) every 5-10 seconds will show you that the ‘Created’ parameter has a very short timer. This is the uptime of the IPsec tunnel. Indicating that the tunnel is flapping. Parsing user traffic through the tunnel will result in packet loss.
Configuring IKEv1 Aggressive mode with local/peer id, and ikev2 with network overlay ID does not help resolve the issue. Having 1 tunnel with NAT-T Forced which forces the tunnel to form over port 4500 with the other tunnel on port 500 also does not resolve the issue.
There are 2 ways to resolve this issue:
Method 1: Configure ‘route-overlap allow’ on the phase2 selectors on the Hub side.
config vpn ipsec phase2-int edit <hub-tunnel-name> set route-overlap allow end
Method 2: Configure system link-monitor and ‘set monitor’ on the IPsec phase1 settings of the Spoke.
‘set monitor’ will ensure that the secondary spoke tunnel is down until it detects that the primary tunnel has gone down. DPD is used for this. The speed of the tunnel down detection is dependent on the DPD values.
Example:
Link Monitor will ensure proper route failover so that the traffic gets routed through the correct tunnel. The server and source IPs used for the link-monitor are the IPs configured on the IPsec tunnel interface.
Example:
