FORTIGATE SDWAN WITH IPSEC OVER MPLS AND DIA

Forum|Forum|1 year ago
April 14, 2025
1 reply
2620 views

Hi all,

i have 3 branches with MPLS link to HQ and a DIA access.

We have only one ISP that manages two different connections for every branch. The ISP give me the possibility to use the local internet connection as a DIA in every branch. The ISP manages the redundancy of MPLS and internet link between the two different connection they provide.

I want to build an IPSEC tunnel over the MPLS for security reasons and use this also to route some particular internet traffic. In case this link goes down I need to route all the internet traffic through the DIA. I always need the possibility to use the DIA for other traffic.

Branches does not need to talk each other.

This is the network scheme. I only manage fortigates. Routers are managed by the ISP. I've coloured the path that i want to implement.

Screenshot 2025-04-14 160407.png

- Should I use SDWAN to manage that?

- Do I need BGP?

- How do i manage route changes and nat changes?

FortiGate

Best answer by Atul_S

Hi Lorenzo,

SDWAN would be a wise option to control the traffic traversing IPSEC to HQ and the local Internet breakout point. Since Branches are not supposed to talk to each other, I dont see a point of having a BGP unless the number of LAN prefixes behind each branch and HQ are huge. But having a BGP would be better for scalability and also takes care of the route changes. NAT change for the outgoing traffic will be taken care based on the routing exit gateway and SDWAN.

Please also refer the below docs for your reference as well:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MPLS-and-IPSEC-tunnel-redundancy-with-link/ta-p/208593

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-implementing-SD-WAN-over/ta-p/291504

Thanks,

Atul_SAnswer

Staff & Editor

Hi Lorenzo,

SDWAN would be a wise option to control the traffic traversing IPSEC to HQ and the local Internet breakout point. Since Branches are not supposed to talk to each other, I dont see a point of having a BGP unless the number of LAN prefixes behind each branch and HQ are huge. But having a BGP would be better for scalability and also takes care of the route changes. NAT change for the outgoing traffic will be taken care based on the routing exit gateway and SDWAN.

Please also refer the below docs for your reference as well:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MPLS-and-IPSEC-tunnel-redundancy-with-link/ta-p/208593

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-implementing-SD-WAN-over/ta-p/291504

Thanks,

LorenzoManfrinAuthor

Explorer

Hi Atul,

thanks.

I have a lot of lan prefixes behind each branch and I like the idea of more scalability and build a future proof architecture, so I think I'll go with BGP.

By the way I don't have any experience with BGP. Where can I learn something about it related to this architecture?

Thanks.