Forward error correction on VPN overlay networks
This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC is a technique used to control and correct errors in data transmission by sending redundant data across the VPN. It uses six parameters in IPsec phase1/phase1-interface settings:
fec-ingress |
Enable/disable Forward Error Correction for ingress IPsec traffic (default = disable). |
fec-egress |
Enable/disable Forward Error Correction for egress IPsec traffic (default = disable). |
fec-base |
The number of base Forward Error Correction packets (1 - 100, default = 20). |
fec-redundant |
The number of redundant Forward Error Correction packets (1 - 100, default = 10). |
fec-send-timeout |
The time before sending Forward Error Correction packets, in milliseconds (1 - 1000, default = 8). |
fec-receive-timeout |
The time before dropping Forward Error Correction packets, in milliseconds (1 - 1000, default = 5000). |
For every fec-base
number of sent packets, the tunnel will send fec-redundant
number of redundant packets.
If your FortiGate is NPU capable, disable config vpn ipsec phase1-interface edit <name> set npu-offload disable next end |
Example
For example, a customer has two ISP connections, wan1 and wan2. Using these two connections, create two IPsec VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by re-transmitting the packets using its backend algorithm.
To configure IPsec VPN:
config vpn ipsec phase1-interface edit "vd1-p1" set interface "wan1" set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000 next edit "vd1-p2" set interface "wan2" set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2 set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000 next end config vpn ipsec phase2-interface edit "vd1-p1" set phase1name "vd1-p1" next edit "vd1-p2" set phase1name "vd1-p2" next end
To configure the interface:
config system interface edit "vd1-p1" set ip 172.16.211.1 255.255.255.255 set remote-ip 172.16.211.2 255.255.255.255 next edit "vd1-p2" set ip 172.16.212.1 255.255.255.255 set remote-ip 172.16.212.2 255.255.255.255 next end
To configure the firewall policy:
config firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf ""virtual-wan-link"" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
To configure SD-WAN:
config system sdwan set status enable config members edit 1 set interface "vd1-p1" set gateway 172.16.211.2 next edit 1 set interface "vd2-p2" set gateway 172.16.212.2 next end end
If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone. |
To use the diagnose command to check VPN FEC status:
# diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1 proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec-egress: base=20 redundant=10 remote_port=50000 <<<<<<<<<<<<<<<<<<<<<< fec-ingress: base=20 redundant=10 <<<<<<<<<<<<<<<<<<<<<< proxyid=demo proto=0 sa=1 ref=2 serial=1 src: 0:10.1.100.0/255.255.255.0:0 dst: 0:173.1.1.0/255.255.255.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555 ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4 enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329 ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0