Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SassiVeeran
Staff
Staff

Created on ‎05-23-2024 09:21 AM

Article Id 316953

Technical Tip: How to deploy dial-up IPsec VPN in SDWAN using BGP routing

Description This article describes the steps to set up SD-WAN dial-up VPN using BGP routing.
Scope FortiGate.
Solution

Objective:

  • Dial-up IPsec VPN connection between two FortiGates.
  • Using two ISP to establish VPN connections between each other for the same sites.

 

In this example, Port1 is used for DialupServer1(Primary) and Port5 used for DialupServer2 (Secondary). A similar setup is configured for DialupClient.

 

In this example, DialupServer is 10.185.0.0/20 and DialupClient is 10.162.0.0/20.

 

  • Both tunnels should be active and redundancy or failover should be steered by the SD-WAN rule.
  • The requirement is that, when DialupServer1 tunnel is down, traffic should routed via DialupServer2 tunnel. Eventually, when DialupServer1 is alive, traffic should be forwarded back via DialupServer1 tunnel which is selected by the SD-WAN rule.

 

Below are the configuration steps:

 

  1. Create a VPN overlay tunnel in SD-WAN for both dial-up server and dial-up client FortiGates.

 

overlay tunnel GUI.PNG

 

The output should be as below:

 

overlay tunnel.PNG

 

overlay dialup client.PNG

 

  1. VPN settings:

    DialupServer1 and DialupServer2 should be similar:

 

ph1 dialup server1.PNG

 

ph2 dialupserver 1.PNG

 

DialupClient1 and DialupClient2 should be similar:

 

ph1 dialupclient1.PNG

 

ph2 dialupclient1.PNG

 

  1. BGP routing:

    Dial-up Server:

bgp config dialup server.PNG

 

Dial-up Client:

bgp config dialup client.PNG

 

  1. Create a default static route for SD-WAN/Overlay tunnel on the FortiGates at both ends.

  2. Create an address group for the phase2 selector in DialupServer1 & 2 VPN FortiGate.

 

The local address group includes the local network, DialupServer1 & 2 tunnel IP (with mask /32).

The remote address group includes the remote network, DialupClient1 & 2 tunnel IP (with mask /32).

 

Configure the same on the DialupClient1 and DialupClient2 FortiGate VPNs.

 

  1. SD-WAN rule:

    Create an SD-WAN rule to steer the traffic on the FortiGates at both ends.

 

sdwan rule.PNG

 

  1. VPN tunnel interface:

dialup server 1 interface.PNG

 

dialup server 2 interface.PNG

 

dialup client 1 interface.PNG

 

dialup client 2 interface.PNG

 

  1. Firewall Policy:

    Create a firewall policy for the VPN tunnel in and out of FortiGate on both ends.

 

firewall policy.PNG

 

Final output:

 

dialup tunnel interface.PNG

 

Notes: 

  • There is an issue reported where tracert from the user machine shows the next hop as the secondary BGP neighbor IP address when the primary tunnel is coming back UP. However, traffic is still routed via the primary tunnel.
  • There are no issues between FortiOS v6.4.x - v7.0.12, where tracert will show the primary neighbor as the next hop correctly when the primary tunnel is alive.
  • This issue is observed in FortiOS v7.0.13 onwards.
268
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.