Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SassiVeeran
Staff
Staff

Created on ‎05-23-2024 09:21 AM Edited on ‎01-09-2025 02:00 AM By Moderator

Article Id 316953

Technical Tip: How to deploy dial-up IPsec VPN in SDWAN using BGP routing

Description This article describes the steps to set up an SD-WAN dial-up VPN using BGP routing.
Scope FortiGate.
Solution

This article will explain and show the configuration example for Dial-UP IPSec VPN in the SD-WAN scenario. To understand the site-to-site IPSec VPN in an SDWAN scenario with a configuration example the following article can be reviewed: Technical Tip: Configure IPsec VPN with SD-WAN.

Objective:

  • Dial-up IPsec VPN connection between two FortiGates.
  • Using two ISPs to establish VPN connections between each other for the same sites.

 

In this example, Port1 is used for DialupServer1(Primary) and Port5 is used for DialupServer2 (Secondary). A similar setup is configured for DialupClient.

 

In this example, DialupServer is 10.185.0.0/20 and DialupClient is 10.162.0.0/20.

 

  • Both tunnels should be active and redundancy or failover should be steered by the SD-WAN rule.
  • The requirement is that, when the DialupServer1 tunnel is down, traffic should routed via the DialupServer2 tunnel. Eventually, when DialupServer1 is alive, traffic should be forwarded back via the DialupServer1 tunnel which is selected by the SD-WAN rule.

 

Below are the configuration steps:

 

  1. Create a VPN overlay tunnel in SD-WAN for both the dial-up server and dial-up client FortiGates.

 

overlay tunnel GUI.PNG

 

The output should be as below:

 

overlay tunnel.PNG

 

overlay dialup client.PNG

 

  1. VPN settings:

    DialupServer1 and DialupServer2 should be similar:

 

ph1 dialup server1.PNG

 

ph2 dialupserver 1.PNG

 

DialupClient1 and DialupClient2 should be similar:

 

ph1 dialupclient1.PNG

 

ph2 dialupclient1.PNG

 

  1. BGP routing:

    Dial-up Server:

bgp config dialup server.PNG

 

Dial-up Client:
                                      

bgp config dialup client.PNG

 

  1. Create a default static route for SD-WAN/Overlay tunnel on the FortiGates at both ends.

  2. Create an address group for the phase2 selector in DialupServer1 & 2 VPN FortiGate.

 

The local address group includes the local network, DialupServer1 & 2 tunnel IP (with mask /32).

The remote address group includes the remote network, DialupClient1 & 2 tunnel IP (with mask /32).

 

Configure the same on the DialupClient1 and DialupClient2 FortiGate VPNs.

 

  1. SD-WAN rule:

    Create an SD-WAN rule to steer the traffic on the FortiGates at both ends.

 

sdwan rule.PNG

 

  1. VPN tunnel interface:

dialup server 1 interface.PNG

 

dialup server 2 interface.PNG

 

dialup client 1 interface.PNG

 

dialup client 2 interface.PNG

 

  1. Firewall Policy:

    Create a firewall policy for the VPN tunnel in and out of FortiGate on both ends.

 

firewall policy.PNG

 

Final output:

 

dialup tunnel interface.PNG
4005
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.