Skip to main content
bcote
bcote
New Member
May 23, 2017
Question

IPSEC & SSLVPN Loopback Interface connection for redundant WAN connectivity

  • May 23, 2017
  • 2 replies
  • 18184 views

Hi all,

 

I have been playing around with the VPN's on my fortigates and was able to a connection and traffic flowing no problem. My goal though, is to allow the VPN connections to use my SD-WAN interface(2 x 1 Gbps links) so that I can get some type of redundancy on the VPN side. My initial goal is for Forticlient connectivity for my users, but once the transition is completed, I do want to look at Site-to-Site VPN for some remote locations.

 

I was suggested to create a loopback interface since you cannot point to an SD-WAN interface for VPN configuration. Is that the best way to achieve my redundant link? Is there anything else or someone that could give me a quick config look so I can apply it to my environment?

 

Thanks for the help,

 

Benoit

2 replies

bcote
bcoteAuthor
New Member
May 23, 2017

You can ignore my original post. Through some documentation and trial and error, I found the right configuration.

 

Thanks,

 

Ben

jgauthier
jgauthier
New Member
May 25, 2017

Hi Ben,

 

I'm pretty much trying to achieve the same thing... what is your recipe ? :)

Thanks

JF

bcote
bcoteAuthor
New Member
May 26, 2017

Hi JF,

 

I can definitely try pointing you in the right direction. Hopefully the way I achieve it is recommended :) I'm sure others can chime in if they see something wrong. 

 

For me, I wanted to have the VPN portion on it's own public IP(we have a full class B so that isn't an issue). I'm sure you could apply this config with a Nat'ed IP if you had to.

 

Step 1 - Create your Loopback Interface and assign it the IP of your choice, apply WAN role and allow PING                          temporarily to be sure you can reach the interface from outside.(testing in Step 6)

 

Step 2 - Create an Address object for your Loopback Interface IP.(optional)

 

Step 3 - Create a Static Route using Named Address with Destination(loopback Address you just created or insert                  IP), Device being your LAN interface(in my case, I have an LACP connection to my Core), Gateway 0.0.0.0. 

 

Step 4 - Create your IPSEC(or SSLVPN) Tunnel and point the Interface to the Loopback Interface you created in Step 1. To start, I simply went through the IPSEC wizard and followed the instructions and assigned a local account to allow access

 

Step 5 - Create your IPv4 Policy to allow External access to the Loopback interface(IKE,HTTPS,PING services suffice to allow IPSEC and SSLVPN and allow your ping test). This would have your SDWAN as the incoming interface and Loopback Interface at the Outgoing. In my case, NAT was turned off as I am using a Public IP.

 

Step 6 - Confirm you can ping your Loopback interface.

 

Step 7 - You should have 3 IPv4 polices to have this work.

          The new policy from your SD-WAN to the Loopback Interface.            The policy created from your IPSEC tunnel to your LAN interface with your Client VPN subnet as source

          The policy created from your IPSEC tunnel to your SDWAN interface with NAT turned on towards your Outgoing Interface Address.

 

Hopefully I didn't forget anything. If you have any other questions, don't hesitate to let me know.

 

Ben

 

 

KPS
KPS
New Member
May 16, 2018

Hi Ben!

 

I just found your post and it is exactly, what I am looking for, but at the moment, the VPN does not come up. Can you give me a hint about what I was doing wrong?

 

The goal is to be able to use the VPN-Tunnel through WAN1 and WAN2. At the moment, it is working through WAN1, if I user WAN1 as interface in Phase 1 IPSEC.

 

 

 

On branch office-FG:

 

- Create Loopback-Interface, name Loopback01 with IP 10.99.99.1 and role WAN, Ping allowed --> OK

- Create Address object "10.99.99.1/32" name LoopbackAddress, Type Sbunet, Interface ANY

- Create Static Route (FIRST QUESTION), Destination "Named Address LoopbackAddress", Gateway 0.0.0.0, Interface Loopback01, Distance 10??

--> I do not understand that static route

 

- IPSEC-Tunnel (change Interface to Loopback01)

- Create IPv4-Policy, WAN1 to Loopback01 ANY Allow (as test)

- Test Ping Loopback From Which Interface should it be "pingable"

 

--> IPSEC does not come up.

 

 

Thank you for your help!

 

KPS

 

 

 

 

 

Terms & ConditionsAccessibility statement