Explorer III

Question

sd-wan vpn

Forum|Forum|1 year ago
April 23, 2025
5 replies
2299 views

Dears,

I have build an SD-WAN project for one of my customers that has 2 wan links (ISP1 with public IP, ISP2 F5 modem). Once I come to VPN configuration to connect all branches, I used to go with a dual-up hub and spoke. I have created the VPN in the normal way from VPN category.

I have seen a document was explaining how to create VPN under SD-WAN as link below, but still I'm not sure if that scenario was helpful to my case, as I have 2 WAN one of them only with public IP. Im not sure what is the difference between creating VPN from VPN category or from SD-WAN to be added as a member!?

Pls can anyone explain and advise about the difference if we have 2 public ips, or in my case 1 public and 1 5G modem with private IP.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/209840

thanks

sw2090

SuperUser

well if the public ip is direclty on the wan interface of the Fortigate you can connect directly.

In the other case you have a hop in between (modem) so the Fortigate does not directly have the public ip of this wan. For IPSec that means that you may have to forward 500/udp (IPSec) and probably 4500/udp (NAT-T) on that modem to your Fortigate to be able to connect that IPSec.

syordanov

Staff

Dear osaleem2_10,

If one of the ISPs provides a private IP address, make sure that the DDNS is configured on your HUB, so you can use an FQDN on the spokes , because you are not sure when the ISP will change the public IP address .

Useful KB how to configure DDNS you can find bellow :

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/685361/ddns

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Dynamic-DNS-FortiGate/ta-p/208780

Like sw2090 mentioned, NAT-T to 'forced' will be good as well.

Regarding the setup, first configure the IPSec and then add to the SD-WAN configuration.

Best regards,

Fortinet

osaleem2_10Author

Explorer III

I appreciate your reply. It's clear, thanks. But still, I'm not sure about the VPN point.

Does configuring the VPN as a member under SD-WAN, or by the normal way from VPN tunnel make any difference?

syordanov

Staff

@osaleem2_10 , the order is :

- configure the VPN (phase-1/phase-2), then automatically will be created an VPN interface

- Once the VPN interface is created, you can add to as SD-WAN member to one of the zones .

sw2090

SuperUser

As long as you don't want redundance/failover there is no need for sdwan.

if you need/want redundance/failover then sdwan is the easiest way.

Just configure two ipsecs that have the same destination (p2 quickselectors) and create an sdwan-zone with these as members. Then just create an sdwan rule for the zone to tell sdwan when to use wich ipsec (do loadblancing or just failover etc) and then just set a route to your destination(s) using the sdwan zone as interface. Then you just need some policies to allow traffic (plus ipsec will not come up if there is not at least one policy referring to it) and that's it.

sdwan will then take care for the routing corresponding to its rules.

sw2090

SuperUser

oh forgot to mention: sdwanvpn will not work correctly with dialup tunnels at least when they are in iterface mode because it cannot correctly determine the tunnel statuses due to dial up connections being enumerated.

osaleem2_10Author

Explorer III

Thanks for your reply. This was my concern.

regarding to my VPN, actually I don't need VPN redundant. only I need to connect some branches "spokes" to my HQ "hub". I was using dialup VPN not ADVPN as no need for spokes to have a direct connection to each other only to hub. as u mentioned, that's not correct. kindly let me know the replacement solution.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded