FGT: Update to IPSEC throughput test

FortiGate/Playground/IPSEC-test/templates/customdata-fgt.tftpl

@@ -5,7 +5,7 @@ MIME-Version: 1.0
 Content-Type: text/plain; charset="us-ascii"
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
-Content-Disposition: attachment; filename="config"
+Content-Disposition: attachment; filename="preconfig"
 
 config system sdn-connector
 	edit AzureSDN
@@ -17,26 +17,32 @@ config sys global
     set hostname "${fgt_vm_name}"
     set timezone 26
     set gui-theme mariner
-    set ipsec-soft-dec-async enable
+    set ipsec-round-robin enable
+end
+config system affinity-packet-redistribution
+    edit 1
+        set interface "port1"
+        set rxqid 255
+        set round-robin enable
+        set affinity-cpumask "ffff"
+    next
+end
+config system probe-response
+    set mode http-probe
+    set port 8008
+    set http-probe-value "OK"
 end
 config system interface
     edit port1
         set mode static
         set ip ${fgt_external_ipaddress} ${fgt_external_mask}
         set description external
-        set allowaccess ping https ssh ftm
-        set secondary-IP enable
-        config secondaryip
-        %{ for i in range(1, fgt_external_ipcount + 1) ~}
-            edit ${i}
-                set ip ${cidrhost(fgt_external_network, i + 4)} ${fgt_external_mask}
-            next
-        %{ endfor ~}
-        end
+        set allowaccess ping https ssh probe-response
     next
     edit port2
         set mode static
         set ip ${fgt_internal_ipaddress}/${fgt_internal_mask}
+        set allowaccess ping probe-response
         set description internal
     next
 end
@@ -52,6 +58,21 @@ config router static
         set gateway ${fgt_external_gateway}
         set device port1
     next
+    edit 2
+        set dst ${fgt_protected_network}
+        set gateway ${fgt_internal_gateway}
+        set device port2
+    next
+    edit 3
+        set dst 168.63.129.16 255.255.255.255
+        set gateway ${fgt_external_gateway}
+        set device "port1"
+    next
+    edit 4
+        set dst 168.63.129.16 255.255.255.255
+        set gateway ${fgt_internal_gateway}
+        set device "port2"
+    next
 end
 
 %{ if fgt_license_fortiflex != "" }
@@ -74,4 +95,64 @@ Content-Disposition: attachment; filename="${fgt_license_file}"
 ${file(fgt_license_file)}
 
 %{ endif }
+--===============0086047718136476635==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="preconfig"
+
+config vpn ipsec phase1-interface
+    edit "vpn1"
+        set interface "port1"
+        set ike-version 2
+        set keylife 28800
+        set peertype any
+        set net-device disable
+        set packet-redistribution enable
+        set proposal aes256-sha256
+        set network-overlay enable
+        set network-id 1
+        set remote-gw ${remote_public_ip}
+        set psksecret ${ipsec_psk}
+    next
+end
+config vpn ipsec phase2-interface
+    edit "vpn1"
+        set phase1name "vpn1"
+        set proposal aes256-sha256
+        set keepalive enable
+        set keylifeseconds 3600
+        set auto-negotiate enable
+    next
+end
+config router static
+    edit 5
+        set dst ${remote_protected_network}
+        set device vpn1
+    next
+end
+config firewall policy
+    edit 1
+        set name "InboundIPSEC"
+        set srcintf "vpn1"
+        set dstintf "port2"
+        set action accept
+        set srcaddr "all"
+        set dstaddr "all"
+        set schedule "always"
+        set service "ALL"
+        set logtraffic all
+    next
+    edit 2
+        set name "OutboundIPSEC"
+        set srcintf "port2"
+        set dstintf "vpn1"
+        set action accept
+        set srcaddr "all"
+        set dstaddr "all"
+        set schedule "always"
+        set service "ALL"
+        set logtraffic all
+    next
+end
 --===============0086047718136476635==--

FortiGate/Playground/IPSEC-test/terraform-azure-elb/00-general.tf

@@ -0,0 +1,216 @@
+##############################################################################################################
+#
+# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup
+#
+##############################################################################################################
+
+# Prefix for all resources created for this deployment in Microsoft Azure
+variable "PREFIX" {
+  description = "Added name to each deployed resource"
+}
+
+variable "LOCATION" {
+  description = "Azure region"
+}
+
+variable "USERNAME" {}
+
+variable "PASSWORD" {}
+
+##############################################################################################################
+# FortiGate license type
+##############################################################################################################
+
+variable "FGT_IMAGE_SKU" {
+  description = "Azure Marketplace Image SKU hourly (PAYG) or byol (Bring your own license)"
+  default     = "fortinet_fg-vm"
+}
+
+variable "FGT_VERSION" {
+  description = "FortiGate version by default the 'latest' available version in the Azure Marketplace is selected"
+  default     = "7.4.4"
+}
+
+variable "FGT_BYOL_LICENSE_FILE_A" {
+  default = ""
+}
+
+variable "FGT_BYOL_FORTIFLEX_LICENSE_TOKEN_A" {
+  default = ""
+}
+
+variable "FGT_BYOL_LICENSE_FILE_B" {
+  default = ""
+}
+
+variable "FGT_BYOL_FORTIFLEX_LICENSE_TOKEN_B" {
+  default = ""
+}
+
+##############################################################################################################
+# VM options
+##############################################################################################################
+
+variable "FGT_SSH_PUBLIC_KEY_FILE" {
+  default = ""
+}
+
+variable "ACCELERATED_NETWORKING" {
+  type        = string
+  description = "(Optional) Enable/Disable accelerated networking (default: true)"
+  default     = "true"
+}
+
+variable "TAGS" {
+  type        = map(string)
+  description = "A map of tags added to the deployed resources"
+
+  default = {
+    "environment" = "IPSEC-test"
+    "publisher"   = "Fortinet"
+    "40NET-OWNER" = "jvanhoof@fortinet-us.com"
+  }
+}
+
+##############################################################################################################
+# Deployment in Microsoft Azure
+##############################################################################################################
+terraform {
+  required_version = ">= 0.12"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=2.12.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+##############################################################################################################
+# Static variables
+##############################################################################################################
+
+variable "vnet" {
+  type        = map(string)
+  description = ""
+
+  default = {
+    "a" = "172.16.136.0/24"
+    "b" = "172.16.137.0/24"
+  }
+}
+
+variable "subnet_fgt_external" {
+  type        = map(string)
+  description = ""
+
+  default = {
+    "a" = "172.16.136.0/26"
+    "b" = "172.16.137.0/26"
+  }
+}
+
+variable "subnet_fgt_internal" {
+  type        = map(string)
+  description = ""
+
+  default = {
+    "a" = "172.16.136.64/26"
+    "b" = "172.16.137.64/26"
+  }
+}
+
+variable "subnet_protected" {
+  type        = map(string)
+  description = ""
+
+  default = {
+    "a" = "172.16.136.128/26"
+    "b" = "172.16.137.128/26"
+  }
+}
+
+##############################################################################################################
+# Virtual Machines sizes
+##############################################################################################################
+
+variable "fgt_a_vmsize" {
+  default = "Standard_D16s_v5"
+}
+
+variable "fgt_b_vmsize" {
+  default = "Standard_D16s_v5"
+}
+
+# Change cpumask depending on instance type: 
+# 4 core = f
+# 8 core = ff
+# 16 core = ffff
+variable "fgt_a_cpumask" {
+  default = "ffff"
+}
+
+variable "fgt_b_cpumask" {
+  default = "ffff"
+}
+
+variable "lnx_vmsize" {
+  default = "Standard_D4s_v4"
+}
+
+variable "lnx_count" {
+  default = 2
+}
+
+##############################################################################################################
+# Resource Groups
+##############################################################################################################
+
+resource "azurerm_resource_group" "resourcegroup" {
+  name     = "${var.PREFIX}-rg"
+  location = var.LOCATION
+
+  tags = var.TAGS
+
+  lifecycle {
+    ignore_changes = [
+      tags["CreatedOnDate"], tags["FTNT-CREATOR"],
+    ]
+  }
+}
+
+##############################################################################################################
+# Storage Accounts for boot diagnostics
+##############################################################################################################
+
+resource "random_id" "saname" {
+
+  byte_length = 6
+}
+
+##############################################################################################################
+# Generate IPSEC PSK key for VPN tunnel between FGT A and B
+##############################################################################################################
+
+resource "random_string" "ipsec_psk" {
+  length  = 16
+  special = true
+}
+##############################################################################################################
+
+locals {
+  fgt_external_ipcount = 32
+  fgt_a_prefix         = "${var.PREFIX}-fgt-a"
+  fgt_a_vm_name        = "${local.fgt_a_prefix}-vm"
+  fgt_a_private_ip_address_ext = cidrhost(var.subnet_fgt_external["a"], 5)
+  fgt_a_private_ip_address_int = cidrhost(var.subnet_fgt_internal["a"], 5)
+  fgt_b_prefix         = "${var.PREFIX}-fgt-b"
+  fgt_b_vm_name        = "${local.fgt_b_prefix}-vm"
+  fgt_b_private_ip_address_ext = cidrhost(var.subnet_fgt_external["b"], 5)
+  fgt_b_private_ip_address_int = cidrhost(var.subnet_fgt_internal["b"], 5)
+}
+
+##############################################################################################################