HPE FlexFabric IRF with Fortigate HA - OSPF and VPN-instances

An HPE comware 7 switches, in IRF mode, connected to Fortigate 600D in HA active/passive mode.

Crossed links between the devices in order to prevent device failure/HA failure situation.

In my first attempt I assumed that since the HPE switches using IRF I should handle them as single device, while connecting them to the Fortigate HA, I’ve connected all 4 ports, from the switches, in one bridge-aggregation group. This configuration led to partial packet loss since all 4 ports, in the link-aggregation group were up and running (Fortigate ports are all up although it’s an HA configuration).

Configuring the Fortigate with 2 ports (port17 and port18) in aggregation mode running all VLAN sub-interfaces while the HPE switches configure with 2 bridge-aggregation interfaces, one for each switch has solved the problem.

Next there was the VPN-instance (VRF lite in Cisco terms) issue, on the switches I’ve configured 5 VPN-instances and one OSPF process per VPN-instance between the Fortigate and the switches. The Fortigate advertised default route (under Router->Dynamic->Advanced) in always mode. In the switches I didn’t manage to see the default route in neither VPN-instance. The problem solved after issuing the command: vpn-instance-capability simple under the VPN-instance sub-command.

Reference: http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0117608

This is the network topology:

 HPE FlexFabric switch (relevant) configuration:

ip vpn-instance TEST1  route-distinguisher 1:10 # ip vpn-instance TEST2  route-distinguisher 1:20 # ip vpn-instance TEST3  route-distinguisher 1:30 # ip vpn-instance TEST4  route-distinguisher 1:40 # ip vpn-instance TEST5  route-distinguisher 1:50 # irf domain 1   irf mac-address persistent timer  irf auto-update enable  irf link-delay 200  irf member 1 priority 32  irf member 2 priority 31  irf member 1 description IRF_UNIT1  irf member 2 description IRF_UNIT2  irf mode normal #  irf-port global load-sharing mode destination-ip source-ip # ospf 10 router-id 1.1.1.10 vpn-instance TEST1  vpn-instance-capability simple  area 0.0.0.10   network 0.0.0.0 255.255.255.255 # ospf 20 router-id 1.1.1.20 vpn-instance TEST2  vpn-instance-capability simple  area 0.0.0.20   network 0.0.0.0 255.255.255.255 # ospf 30 router-id 1.1.1.30 vpn-instance TEST3  vpn-instance-capability simple  area 0.0.0.30   network 0.0.0.0 255.255.255.255 # ospf 40 router-id 1.1.1.40 vpn-instance TEST4  vpn-instance-capability simple  area 0.0.0.40   network 0.0.0.0 255.255.255.255 # ospf 50 router-id 1.1.1.50 vpn-instance TEST5  vpn-instance-capability simple  area 0.0.0.50   network 0.0.0.0 255.255.255.255 #

Fortigate 80C Flash problem solution

While the Fortigate 80C is pretty good UTM, some of the units has arrived with faulty flash which result in boot failures, configuration lost and you wasn’t able to use the log memory option that cause flash memory stress and led to failure.

The solution to solve this issue is to use USB disk drive instead of the built-in 8G.

First get a USB disk drive, I bought a SanDisk Cruzer Fit 16GB

Then open the case and locate jumper J15 (or J3 for newer models):

Put a jumper to short this connector:

Now the appliance will use the external USB instead of the built-in flash.

1. Plug the USB disk drive into one of the USB ports in the appliance

2. Connect your PC with serial cable to the console port

3. Connect network cable from the PC to port internal 1

4. Configure your PC with IP address 192.168.1.168

5. Copy a firmware file (image.out) into your TFTP server folder

6. Launch a TFTP server (tftpd32 for example)

7. Boot the appliance and follow the instruction to recover an image:

FortiGate-80C (16:50-09.27.2011) Ver:04000009 Serial number:FGT80C1483814587 RAM activation Total RAM: 1024MB Enabling cache...Done. Scanning PCI bus...Done. Allocating PCI resources...Done. Enabling PCI resources...Done. Zeroing IRQ settings...Done. Verifying PIRQ tables...Done. Disabling local APIC...Done. Boot up, boot device capacity: 14907MB. Press any key to display configuration menu... .. [G]:  Get firmware image from TFTP server. [F]:  Format boot device. [B]:  Boot with backup firmware and set as default. [I]:  Configuration and information. [Q]:  Quit menu and continue to boot with default firmware. [H]:  Display this list of options. Enter Selection [G]: Enter G,F,B,I,Q,or H: Please connect TFTP server to Ethernet port "1". Enter TFTP server address [192.168.1.168]: Enter local address [192.168.1.188]: Enter firmware image file name [image.out]: MAC:02050E8ACA1A ########################## Total 27567478 bytes data downloaded. Verifying the integrity of the firmware image. Total 40000kB unzipped. Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?D Programming the boot device now. ....................................... Reading boot image 1437434 bytes. Initializing firewall... System is starting... Resizing shared data partition...done Starting system maintenance... Scanning /dev/sda1... (100%)  Formatting shared data partition ... done! (Depend on your USB disk size it may take a little while...)   FGT80C1483814587 login:  admin Password: Welcome !

VPN site-to-site between Cisco ASA to Fortigate - Part 1

In the following post I will demonstrate a VPN site-to-site (L2L) configuration between Cisco ASA and Fortigate appliances.

These are the customer demands for the following setup:

- VPN site-to-site between Office 1 and Office 2

- All traffic from Office 2 should pass-through office 1

- When Office 2 goes to the internet they will using Office 1 external IP

This is my lab setup:

Let’s start with the Fortigate configuration,

VPN -> IPsec ->Tunnels

Type in a name for this tunnel and select Custom VPN Tunnel (No Template)

Fill in the required information, type in the remote IP address (10.1.0.1), fill in the pre-shared key and select phase 1 proposal, here I choose IKEv1 with AES192 and SHA1 using DH group 2 (1024bit) and key lifetime of 86400 seconds (24 hours).

Continue filling phase 2 selectors, type in the local networks, in this case I summarize Office 2 networks to 192.168.48.0/21, and remote networks which in my case should be 0.0.0.0/0.0.0.0 in order to route all traffic through the VPN tunnel, and phase 2 proposal - here I choose again AES192 with SHA1 and DH group 2, also check PFS and type in the key lifetime to 86400 seconds.

Note that I removed all other options in phase 1 and 2 proposals and leave only AES192 with SHA1.

Now go to Policy & Objects -> Objects -> Addresses and create new address for remote network:

And another one for the local networks:

Now let’s configure the firewall policy, go to Policy & Objects -> Policy -> IPv4 and create new policy, from interface NET50 (VLAN50) with source address LOCAL_NETWORK to interface OFFICE1 (VPN interface) with destination address REMOTE_NETWORK and without NAT:

Crate another policy in the opposite way:

For each network we would have to do these policies (VLAN 50, VLAN51 and so on), also this is the place for limit the access between the two sites (for example create policy which allows only HTTP and HTTPS between the two).

Last we need to configure static route toward the VPN tunnel, go to Router -> Static -> Static Routes and create new static route, type 0.0.0.0/0.0.0.0 for destination and choose OFFICE1 (VPN interface) as Device:

Note that we will also need static route to remote device (Cisco ASA at 10.1.0.1) with ISP next-hop:

Now let’s configure the Cisco ASA, here I will use the built-in wizard for creating the tunnel but I’ll explain on each part of the configuration and will show also CLI configuration.

First we need to configure object for the remote network, Open the ASDM and go to Configuration -> Firewall -> Objects -> Network Objects/Groups, click on Add and create an object for the remote network:

And another object fot the local network:

Again here I summarize for all OFFICE1 networks (192.168.0.0/21).

Now click on Wizards from the tool bar, choose VPN Wizards -> Site-tosite VPN Wizard…

On the first screen click Next

Type in the Fortigate external IP (10.2.0.1) and choose the Cisco ASA external interface (EXTERNAL1):

Click Next

On the Local Network choose Any4 and on the Remote Network choose the object we have just created (REMOTE_NETWORK):

Click Next

Choose Customize Configuration and type in the pre-shared key in all 3 places (although we are not going to use IKEv2 it’s necessary in order to be able to move between the tabs)

Click on IKE Version tab and clear IKEv2 checkbox

Click on Encryption Algorithms tab and then click on IPsec proposal Select button

Clear all settings under Assign-> and choose only ESP-AES-192-SHA (Tunnel mode), then click OK

Click on Perfect Forward Secrecy and mark the checkbox to enable it:

On the NAT exempt screen click Next

On the Summary screen review the settings and click Finish

Now we need to create NAT policy which will exempt the traffic between OFFICE1 and OFFICE2 networks, go to Configuration -> Firewall -> NAT Rules and click add:

Create NAT policy for keeping the original IP from remote to local and vice versa:

This rule is bi-directional so we won’t need to configure the opposite.

Now we need to configure firewall access rule for the VPN traffic, go to Configuration -> Firewall -> Access Rules and click Add:

Create access rule on the external interface (EXTERNAL1) with REMOTE_NETWORK (192.168.48.0/21) as source and any as destination:

Of course this rule should be above implicit deny rule if configured.

Click save and then apply.

That’s it – the tunnel should be up and running.

Now let’s review on the wizard configuration, go to Configuration -> Site-to-Site VPN and choose Connection Profiles, here we should see the connection profile for the newly created tunnel:

Here we can see the protected networks, the group policy, pre-shared key and phase1/phase2 encryption algorithms.

On the Crypto Map Entry we can see some more settings such as NAT-T and Reverse Route Injection:

And on the Tunnel group we can see the IKE keepalive settings:

Under Configuration -> Site-to-Site VPN -> Group Policies we can find the tunnel created policy which allow us to choose tunneling protocol and different timers (idle, maximum connect time) and also Filter option which gives us the ability to create and configure ACL for permit/deny traffic on this tunnel.

Under Configuration -> Site-to-Site VPN -> Advanced -> Crypto Maps we can find the tunnel map where we have some more settings such traffic selection:

Next post i will provide the CLI configuration, NAT for VPN traffic and some debugging commands.

Fortigate port-forward using dynamic IP

Fortigate port-forwarding using dynamic IP (such as PPPoE and L2TP dialers).

Go to Policy & Objects -> Objects -> Virtual IPs and click Create New

Enter the VIP name

Choose the internal interface

Leave External IP Address/Range with all 0.0.0.0

Enter in Mapped IP Address/Range the internal IP address of the server

If you want all ports to forward to this address click OK else click Port Forwarding checkbox and enter the external and internal protocol and ports.

Here in my example its 192.168.10.150 (server IP) and I’ve mapped TCP port 80 to 33000.

Click OK

Go to Policy & Objects -> Policy -> IPv4 and click Create New

Choose WAN interface as incoming interface,

Choose LAN as outgoing interface,

Choose server VIP we have just created as Destination Address.

Select NAT on and select all other required parameters (AV, IPS, Web Filter etc.)

Click OK

That’s it.