Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
radebebek
New Contributor II

VPN Site to Site problem connect with multi ISP static routes.

I saw several similar problems on this forum, but not exactly like this.

So,

 

I have: ISP1, ISP2 ,ISP3 links. First two are in sd-wan mode. And I used it for surfing. ISP3 used for business network. My branch office used vpn site to site, and connect over ISP3. 

My static route is:

0.0.0.0 -> sd-wan 

x.x.x.x -> ISP3

... other routes

x.x.x.x is branch office ip but dynamic change every 24h. So tha vpn to work I have to manually change the address. And this is a problems.


1.  I try replace 0.0.0.0 -> sd-wan with 0.0.0.0 -> ISP3 and set SD-WAN in Policy Routes. But I cant add SD-WAN interface in Policy Routing Rules. Only per interface. So that is not solution.

2. I try add ISP3 to member sd-wan, and used sd-wan rules. But If I make this, I cant use independent interface ISP3 to Firewall Policy. Also not solution.

 

Before Fortigate I used Checkpoint, and that vendor have option to set outgoing interface for vpn, independently of static routes. 

Is there anything like Fortigate and what is option for this case?

Thanks
Rade

erokoder
1 Solution
akileshc
Staff
Staff

Hello Rade,
 
1.  I try replace 0.0.0.0 -> sd-wan with 0.0.0.0 -> ISP3 and set SD-WAN in Policy Routes. But I cant add SD-WAN interface in Policy Routing Rules. Only per interface. So that is not solution.
 
- You cannot apply an SDWAN interface on a Policy Route in FortiGate, but you may utilize one while configuring it with the respective VPN interface.

 

Policy routes are prioritized over all other routes in the routing database. FortiGate will first check conventional policy routes first, then SDWAN policy routes (if any), and finally the routing table.


2. I try add ISP3 to member sd-wan, and used sd-wan rules. But If I make this, I cant use independent interface ISP3 to Firewall Policy. Also not solution.

 

- SDWAN is separated into zones if you are currently using FortiOS 6.4.1 or above. SDWAN member interfaces are assigned to zones, and zones can be used as source and destination interfaces in policies.



Multiple zones may be defined to group SDWAN interfaces together, providing the logical groupings for overlay and underlay interfaces.  Zones are used in firewall rules to provide granular control. Members of SD-WAN cannot be utilized directly in policies.

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor II

config vpn ipsec phase1-interface

  edit "<phase1-name>"

    set interface "<outgoing-interface-name>"

  next

end

 

It doesn't matter if it's an SD-WAN member or not. So you can specify any interface, ISP1, 2, or 3.

 

Toshi

radebebek

This is not work, I I've already put it, you can't do phase 1 without it.

erokoder
Toshi_Esumi
Esteemed Contributor II

Still need a default route toward ISP3 since the IP changes. How about a static default route to ISP3 with high number (lower) priority? That would make the local FGT respond to the remote end when the remote initiates the session. You might need to change the IPSec to aggressive (IKEv1) or dynamic (IKEv2) for the local FGT not to intitiate itself because it would go out via SD-WAN side. But it would be ignored on the remote end if the remote has "static" IPSec.

akileshc
Staff
Staff

Hello Rade,
 
1.  I try replace 0.0.0.0 -> sd-wan with 0.0.0.0 -> ISP3 and set SD-WAN in Policy Routes. But I cant add SD-WAN interface in Policy Routing Rules. Only per interface. So that is not solution.
 
- You cannot apply an SDWAN interface on a Policy Route in FortiGate, but you may utilize one while configuring it with the respective VPN interface.

 

Policy routes are prioritized over all other routes in the routing database. FortiGate will first check conventional policy routes first, then SDWAN policy routes (if any), and finally the routing table.


2. I try add ISP3 to member sd-wan, and used sd-wan rules. But If I make this, I cant use independent interface ISP3 to Firewall Policy. Also not solution.

 

- SDWAN is separated into zones if you are currently using FortiOS 6.4.1 or above. SDWAN member interfaces are assigned to zones, and zones can be used as source and destination interfaces in policies.



Multiple zones may be defined to group SDWAN interfaces together, providing the logical groupings for overlay and underlay interfaces.  Zones are used in firewall rules to provide granular control. Members of SD-WAN cannot be utilized directly in policies.

radebebek
New Contributor II

This solution 2. is helped, so I must create new sd-wan zone with only ISP3, first zone (ISP1+ISP2). In static route I have: 

0.0.0.0 -> zone1
0.0.0.0 -> zone2

with same priority,

 

in sd-wan rules I have rules for local traffic to go over zone1. 

 

Thanks

 

 

erokoder
Toshi_Esumi
Esteemed Contributor II

For 2. why do you have to set a separate policy for the VPN traffic to ISP3? You have a set of policies for VPN toward SD-WAN but it would never apply to the traffic to ISP1&2 because the matching traffic never go to the direction based on the SD-WAN rules for the VPN.