Topology change assistance

Question

Having a major issue with a non-Fortigate SDWAN provider. Essentially, IPSEC tunnels from Fortigates terminating to our SDWAN provider do not stay up so we need to begin bypassing them.

Our current setup is quite basic in our datacenter. SDWan Router (10.0.0.1) -> Transparent FTG200E (10.0.0.2) -> internal network (10.0.0.3-10.0.1.255)

I've tried port forwarding through the SDWan router but it seems to only allow one tunnel to be up at a time which is unacceptable as we have multiple small sites.

What I'd like to do, is bring in another WAN connection and have it on the transparent FGT200E so the branch sites can terminate directly to it. Would it be as simple as that? Would that extra WAN connection require its own VDOM? I'm a little unsure of how that would work.

Any assistance would be appreciated and I'd be happy to give more details if necessary.

Thanks

sw2090 · Answer

you could do what we do here:

we use sdwan for internet access

but our ipsec tunnels are connected to the physical wans.

There is two ipsecs from HQ to each shop with redundand static routing (just different prio)

Both stay up and running this way (unless the wan is gone on one side of course) and if one goes away the routing switche to the other.

I might add some blackhole routing to speed up the switching but it takes a sec only anyways.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded