Skip to main content
unknown
unknown
New Member
August 27, 2019
Question

Dialup Tunnel Setup with SDWAN at the Branch Site

  • August 27, 2019
  • 1 reply
  • 5934 views

Hi all

 

I have a specific request to setup sdwan at a branch site,  the branch site will run version 6.2.1 and the ipsec tunnels will terminating to a perimeter  multi tenant firewall running version 5.2.7.  I am planning to setup dialup tunnels as the remote branch wan ip's will be dynamic using LTE or 3G. The issue I have is the version 5.2.7 perimeter firewall does not add the peer tunnel ip in the routing table.  I did this similar setup on later versions and did not experience the same issue. I cannot upgrade the perimeter firewall, I will need to do dynamic routing across the tunnels when I setup the bpg and the peer bgp  request  hits the perimeter firewall the traffic gets dropped due to reverse path check

 

here is my setup on the perimeter side.

 

config vpn ipsec phase1-interface edit "www1" set type dynamic set interface "wan1" set nattraversal disable set mode aggressive set add-route disable set dpd-retrycount 2 set dpd-retryinterval 1 next edit "www2" set type dynamic set interface "wan2" set nattraversal disable set mode aggressive set add-route disable set dhgrp 5 set dpd-retrycount 2 set dpd-retryinterval 1 next end

 

config vpn ipsec phase2-interface edit "www1" set phase1name "www1" set dhgrp 5 set keepalive enable next edit "www2" set phase1name "www2" set dhgrp 5 set keepalive enable next end

 

edit "www1" set vdom "root" set ip 10.11.6.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.11.6.254 set snmp-index 14 set interface "wan1" next edit "www2" set vdom "root" set ip 10.11.7.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.11.7.254 set snmp-index 15 set interface "wan2" next

As per the below I dont see the peer ip which is 10.11.6.2 and 10.11.7.2

 

dc # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

C 10.1.20.0/30 is directly connected, looback-1 C 10.11.6.1/32 is directly connected, www1_0 C 10.11.6.254/32 is directly connected, www1_0 C 10.11.7.1/32 is directly connected,www2_0 C 10.115.97.254/32 is directly connected, www2_0 C 10.120.192.0/24 is directly connected, port1

 

 

 

    1 reply

    smari
    smari
    New Member
    August 28, 2019

    So the remote ip on the tunnel interface is .2 ?

    Is there any reason you have the remote-ip 10.11.6.254 and 10.11.7.254 ?

    unknown
    unknownAuthor
    New Member
    August 28, 2019

    The reason for that is the configuration is based on on pilot I did some time ago running version 6.2 on both sides, the version 5.2.7 does not allow me to add the subnet mask in the ip. I would assume I can add the remote ip and make it 10.115.6.2 but how with that scale out with multpile branches.

    smari
    smari
    New Member
    August 28, 2019

    It doesn't scale, it's just a peer-to-peer type of scenario.

    If I was doing scenario like that with multiple branches I would switch to mode-cfg on the hub and assign ip addresses  dynamically to the dialup clients.

    Then run ospf over the dialup connection.

    Done that a few times with good results.

    https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/OSPF_Dynamic_IPsec/Overview.htm

    Only reason I would use bgp would be I was doing advpn, which is not supported in 5.2 .

    Terms & ConditionsAccessibility statement