Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cogency
New Contributor

Best VPN option for backup ISP WAN connections

Hello Everyone,

 

I am looking into how to connect several sites to each other, who all have a primary broadband WAN connection and a 5G backup WAN connection, all with static IPs. Our current site-to-site connections are only configured to use one WAN connection on each end, so when the office broadband connection goes down on occasion, the office has internet access via the 5G but no VPN access because it is configured for the single interface. There seem to be multiple paths i could take here and none of them seem as simple as i thought they would be. 

 

Our network mainly consists of all Fortigate devices. F40s, 60Fs, a 61F, a 71F, and some 81Fs at our two data centers.

 

Approximately 15 of our sites, including our data centers, LANs are already connected to eachother via L3VPN managed by Windstream, connected to their SDWAN solution, VeloCloud, and routed to eachother via BGP.

 

The other 15 sites are not on any kind of managed SDWAN solution at this time. Each site has a primary broadband WAN connection, and a backup 5G connection. They are currently setup to connect to our data center via IPSEC site-to-site at our main data center, 81F-ColoPrimary. The problem we want to solve is when their primary broadband connection goes down, is to stay connected to our data centers.

 

Our goal is:

  • Approximately 15 sites backup 5G ISP WAN connections be configured with both connections into an SDWAN zone, configured to fail over to the backup WAN if the primary connection is unusable
    • This has been done on 40F-Test and 40F-Dover2 with a very basic config
  • Configure them so they can connect to eachother and access eachothers internal LAN subnets through either WAN interface, through IPSEC tunnels or another means
  • Utilize a routing protocol such as BGP so the sites can talk directly to eachother if feasible

 

So i found this tech tip article and started going through it on our test Fortigate-Test. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

It was tedious but if it will actually work i suppose its doable... if it really works.
 
I got to the point in the directions where you are required to make some changes through the CLI. This doesnt seem like the right thing to be doing for 15 sites. If it is im fine with it, but stopped there to see if there is a better way.
 
 
But as i started watching the videos i realized they really build upon eachother, i cant really jump right to part 19 because it references things that have already been setup.
 
If you check out the above video and can recommend what they are presenting here in part 19 - (Adding a redundant VPN link and having FortiGate SD-WAN pick best path using Performance SLAs) then i will proceed with it, but if there is a better way and i am just missing it please let me know. I also have a ticket start with support to basically ask them the same question but figured asking here would be a good idea as well.
If you have any questions let me know.
Thanks in advance for any advice you have on this!
 
Jesse
 
 
 
 
1 Solution
xshkurti
Staff
Staff

@Cogency 
Thanks for your query.
Actually, i suspect support will give you design advices, because it requires changes in your infrastructure.

Based on your requirements, you are in need for ADVPN with SDWAN.

Please check this link as it has some good configuration examples.

ADVPN and shortcut paths | FortiGate / FortiOS 7.4.1 | Fortinet Document Library

 

Regards,

View solution in original post

2 REPLIES 2
xshkurti
Staff
Staff

@Cogency 
Thanks for your query.
Actually, i suspect support will give you design advices, because it requires changes in your infrastructure.

Based on your requirements, you are in need for ADVPN with SDWAN.

Please check this link as it has some good configuration examples.

ADVPN and shortcut paths | FortiGate / FortiOS 7.4.1 | Fortinet Document Library

 

Regards,

Cogency

Sorry for the very late reply, but thank you for the advice.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors