Forward error correction on VPN overlay networks
This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC can be used to lower packet loss ratio by consuming more bandwidth. It uses six parameters in IPsec phase1/phase1-interface setting.
l fec-ingress. Disabled by default. l fec-egress. Disabled by default. l fec-base. <1-100>. Default=20. l fec-redundant. <1-100>. Default=10. l fec-send-timeout. <1-1000>. Default=8. l fec-receive-timeout.<1-10000>. Default=5000.
For example, a customer has tow ISP connections, wan1 and wan2. Using these two connections, create two IPsec VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by retransmitting the packets using its backend algorithm.
Sample topology
To configure IPsec VPN:
config vpn ipsec phase1-interface edit “vd1-p1” set interface “wan1” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.201.2 set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000
next edit “vd1-p2” set interface “wan2” set peertype any set net-device disable set proposal aes256-sha256 set dhgrp 14 set remote-gw 172.16.202.2
set psksecret ftnt1234 set fec-egress enable set fec-send-timeout 8 set fec-base 20 set fec-redundant 10 set fec-ingress enable set fec-receive-timeout 5000
next
end
config vpn ipsec phase2-interface edit “vd1-p1”
set phase1name “vd1-p1”
next edit “vd1-p2”
set phase1name “vd1-p2”
next
end
To configure the interface:
config system interface
edit “vd1-p1”
set ip 172.16.211.1 255.255.255.255 set remote-ip 172.16.211.2 255.255.255.255
next edit “vd1-p2”
set ip 172.16.212.1 255.255.255.255 set remote-ip 172.16.212.2 255.255.255.255
next
end
To configure the firewall policy:
config firewall policy edit 1
set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable
next
end To configure SD-WAN:
config system virtual-wan-link
set status enable config members
edit 1
set interface “vd1-p1” set gateway 172.16.211.2 next
edit 1 set interface “vd2-p2” set gateway 172.16.212.2
next
end
end
To use the diagnose command to check VPN FEC status:
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
—————————————————–name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec-egress: base=20 redundant=10 remote_port=50000 <<<<<<<<<<<<<<<<<<<<<< fec-ingress: base=20 redundant=10 <<<<<<<<<<<<<<<<<<<<<< proxyid=demo proto=0 sa=1 ref=2 serial=1
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:173.1.1.0/255.255.255.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555 ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4
enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329 ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0