1. Validate the prerequisites for using SD-WAN On-Ramp in FortiSASE:

• Supported models and firmware.
• FortiCloud account prerequisites.
• Network topology.
• License FortiSASE SD-WAN On-Ramp.

2. Configure the IPsec device as an SD-WAN On-Ramp. To configure and deploy an SD-WAN On-Ramp location, log in FortiSASE account:
   1. Go to Edge Devices -> SD-WAN On-Ramp.
   2. Select the On-Ramp locations tab.
   3. Select the Deploy On-Ramp location.
   4. Configure the following settings in the Deploy On-Ramp Location page:
      • Tunnel interface IP: IP address defined on the IPsec tunnel interface for the FortiSASE On-Ramp Location (169.X.X.65).
      • IP range: IP address range that the SD-WAN On-Ramp location uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration (169.X.X.66-169.X.X.94).
      • Subnet mask: Corresponding to the IP address range that the SD-WAN On-Ramp location uses for IP address assignment (255.255.255.224).
      • Pre-shared key: Key for IPsec connection.

3. Configure policies to control traffic flow from the Spoke.
   1. Create a Security Profile group.
   2. Go to Configuration -> Security -> Profile Group -> + (Create).

3. 3. Create hosts and host groups.
   4. .Go to Configuration -> Hosts -> Create.

3. 5. Configure a policy for the Spoke. For this article, NAT has been enabled in the Spoke Firewall Policy. All policy enforcement in FortiSASE will be for the IP Tunnel Interface.
      • Go to Configuration -> Traffic -> Policies -> + Create:
      • Source Scope: Edge Device.
      • Source: Specify and select the host/hosts groups created for the Spoke local subnet.
        Action: Accept.
      • Profile Group: Specify and select the security profile group created in step 1.

4. Configure a FortiGate IPsec connection to FortiSASE.
   1. Connect and log in to the FortiManager.
   2. IPsec VPN configuration using Provisioning Template 'IPsec Tunnel':
      • Go to Provisioning Template -> IPsec Tunnel.
      • Select the Template IPsec Tunnel to edit.
      • Go to Create New.
      • Configure the following VPN Setup options:
        • In the Name field, enter POPVPN.
        • For the Remote device, select Dynamic DNS.
        • For Remote Gateway (FQDN): Go to FortiSASE -> Edge Devices -> SD-WAN On-Ramp -> On-Ramp Locations, copy the information ' FQDN'.

Go to FortiManager and paste the information in 'Remote Gateway (FQDN)':

From the Outgoing Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections,  'wan1'.

• Enable network overlays.
• Set the VPN gateway network ID to 1.
• For the Authentication method, select Pre-Shared Key.
• In the Pre-shared key field, define the key, and the same key must be entered in FortiSASE: Go to FortiSASE -> Edge Devices -> SD-WAN On-Ramp -> On-Ramp Locations, edit the location:

Go to FortiManager and continue with the Template 'IPsec Tunnel':

• Enable IKEv2.
• Go to Phase 2 Interface -> Create New.
• In the Name field, enter POPVPN.
• Select 'OK'.
• Go to Advanced Options:
  • Enable mode-cfg.
  • Enable auto-discovery receiver.

Select 'OK':

Select 'OK':

5. Configure an SD-WAN Template for connection to FortiSASE:
   1. Connecting to the FortiManager.
   2. Go to Provisioning Template -> SD-WAN.
   3. Select the Template SD-WAN to edit.

4. 4. Go to SD-WAN Zones -> Create New -> SD-WAN Zone. In the Name field, enter FortiSASE-PoP. Go to SD-WAN Zones -> Create New -> SD-WAN Member. Set the Interface Member: POPVPN. Set the SD-WAN Zone: FortiSASE-PoP.

4. 5. Create a Performance SLA to monitor connection through FortiSASE:
      • Go to Performance SLA -> Create New.
      • In the Name field, enter DNS_Google_4
      • Set the Server: 8.8.4.4.
      • Set the Participants -> Specify -> POPVPN.
      • Set the SLA Target.

4. 6. Create an SD-WAN Rule to steer specific traffic to 'Office 365' through FortiSASE: Go to SD-WAN Rules -> Create New.

Select 'OK'.

6. Configure a Firewall Policy for connection to FortiSASE:
   1. In the FortiGate Spoke, create a Firewall Policy to accept the traffic to FortiSASE:
      • Connect to the FortiManager.
      • Go to Policy & Objects -> Select the Policy Package to edit -> Create New.

6. 2. Install Wizard:

      • Select Install Policy Package & Device Settings.

      • Select Policy Package and select 'Next'. 

• Select Next.

• Select 'Install'.

• Select 'Finish'.

7. Verify IPsec VPN connection:
   1. To verify the IPsec VPN tunnel on FortiSASE: Go to FortiSASE -> Edge Devices -> SD-WAN On-Ramp -> IPsec connections.

6. 2. To verify the IPsec VPN tunnel on a Spoke FortiGate: Go to FortiGate -> VPN -> IPsec Tunnels.

6. 3. To verify that Internet traffic is forwarded to FortiSASE:
      1. Identify the IP address assigned to the VPN Tunnel interface. In the shell, go to the CLI and type the next command. In the output search, the name of the VPN created 'POPVPN' and identifies the 'assigned IPv4 address':

diagnose vpn ike gateway

6. 3. 2. Make a ping and traceroute to a public IP with the source of the VPN Tunnel interface, identified in the above step: