Hello, we are just starting to implement SD-WAN and I have a question on how to setup IPsec tunnels because I am sure I am overlooking something or making things more complicated than they are. If both sites have a Primary WAN and a Secondary WAN, do I have to create 4 tunnels and 8 policies to make all the possible combinations to keep the traffic flowing at all times without manual intervention or is there a better way to accomplish that? IPsec tunnel sourceIPsec tunnel destinationPrimary WANSecondary WANFortigate 1Fortigate 2WAN1 WAN2 Fortigate 1Fortigate 2WAN1BACKUP WANFortigate 1Fortigate 2BACKUP WANWAN2Fortigate 1Fortigate 2BACKUP WANBACKUP WANFortigate 2Fortigate 1WAN2WAN1Fortigate 2Fortigate 1BACKUP WANWAN1Fortigate 2Fortigate 1WAN2BACKUP WANFortigate 2Fortigate 1BACKUP WANBACKUP WAN

Visitor III

Question

SD-WAN and IPsec

Forum|Forum|1 year ago
August 23, 2024
2 replies
1662 views

Hello, we are just starting to implement SD-WAN and I have a question on how to setup IPsec tunnels because I am sure I am overlooking something or making things more complicated than they are.

If both sites have a Primary WAN and a Secondary WAN, do I have to create 4 tunnels and 8 policies to make all the possible combinations to keep the traffic flowing at all times without manual intervention or is there a better way to accomplish that?

IPsec tunnel source	IPsec tunnel destination	Primary WAN	Secondary WAN
Fortigate 1	Fortigate 2	WAN1	WAN2
Fortigate 1	Fortigate 2	WAN1	BACKUP WAN
Fortigate 1	Fortigate 2	BACKUP WAN	WAN2
Fortigate 1	Fortigate 2	BACKUP WAN	BACKUP WAN
Fortigate 2	Fortigate 1	WAN2	WAN1
Fortigate 2	Fortigate 1	BACKUP WAN	WAN1
Fortigate 2	Fortigate 1	WAN2	BACKUP WAN
Fortigate 2	Fortigate 1	BACKUP WAN	BACKUP WAN

FortiGate

amrit

Staff & Editor

What type of ipsec tunnels are you creating ? Is it ADVPN HUB and spoke or is this a site to site vpn tunnel? Yes, for the failover purposes, it would be best to create two tunnels on each wan link i.e four tunnels but you don’t need to create 8 policies because you can enable multi interface policies. So if all these tunnels will allow the same phase 2 selectors, with multi interface policies you just need two policies

ezhupa

Staff

Hello Krissie,

For redundancy purposes and SDWAN implementation yes you would need 2 overlays. For the next part it depends on what topology you would like to implement. If it's a sort of full mesh where every FGT is connected to every FGT then yes you would need policies for all the SDWAN zones you would create. Since the IPSEC tunnels will be part of SDWAN you will use the SDWAN interface in the policy. (not the tunnel interfaces itself)
If you are implementing a sort of HUB-SPOKE topology or ADVPN you can refer to the below documentation:
https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/783373/hub-and-spoke-sd-wan-deployment-example
https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-sd-branch-architecture-for-mssps/151899/basic-sd-wan-advpn-design

Hope this helps.
Enea

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded