Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Aggregate or Redundant Interface or SD-WAN

Hello team!!  Greetings!!

 

We have 2 sites with a FGT60F in each site. (7.2.3 in one and 7.2.4 in the other)

Each site has 2 WAN interfaces in an SD-WAN

 

Currently we have 2 VPNs IPsec site to site:

* Site 1 Wan 1 <-> Site 2 Wan 1

* Site 1 Wan 2 <-> Site 2 Wan 2

We are having troubles with this, sometimes one VPN stop passing traffic and users complain.  Then we change route distances to use the other VPN.

 

I am wondering about the differences between "Aggregate" "Redundant Interface" and "SD-WAN" for IPsec site to site VPNs.

Some considerations:

* We dont care if the traffic is balanced, but we want the link will be working as much as it is possible

* We would like to view the redundant links status, preferably in gui

* It would be nice to create some email alert when some link is down.

Which method do you reccomend? 

 

Thanks in advance.

Regards,

Damián

 

Damián Lozano
Damián Lozano
1 Solution
adambomb1219
SuperUser
SuperUser

I would use the SD-WAN engine for this.  No reason to use the legacy aggregate/redundant IPSec stuff for this.  SD-WAN also gives much better monitoring/path control capabilities.  

View solution in original post

5 REPLIES 5
adambomb1219
SuperUser
SuperUser

I would use the SD-WAN engine for this.  No reason to use the legacy aggregate/redundant IPSec stuff for this.  SD-WAN also gives much better monitoring/path control capabilities.  

damianhlozano

Thank you Adam!!!

I will configure SD-WAN then

 

Regards,

Damián

Damián Lozano
Damián Lozano
damianhlozano
Contributor

Hello team!!

 

I have configured a new SD-WAN for VPNs, I removed the 2 old VPNs and all objects related in both Fortigates and created new ones

The new VPNs are working when I go from a device inside my network in site 1 to another device in my network on site 2, also is working from a device inside my network in site 2 to another device in my network from site 1.  The problem is when I ping from the Fortigate to a device in the remote network,

With a debug I saw that the traffic is going out using the public IP instead of the private IP.

How can I change the IP used to go out from the Fortigate to a device in the remote site?

I need this to add "Performance SLAs"

I tried to change IP address to the IPsec interface, and using specific gateway in the SD-WAN settings, still the same.

With the previous setting I had the same issue

 

Thanks in advance.

Regards,

Damián

Damián Lozano
Damián Lozano
sw2090
SuperUser
SuperUser

that sounds like a routing issue. The routing table is the very first thing that is looked at. It provides the "way" and then after this it needs to match some policy (which is not policy #0 probably).

So if traffic hits the wrong interface that mostly means either your route is incorrect or it does not exist at all on that FGT because in the last case it will hit the default route then.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
damianhlozano

Thank for your answer sw2090!

 

However, I desagree, I will explain this:

There is a route in the routing table for the remote network, if not, the VPN should not work but it is working.

I just did a debug to view what happen when I ping from a Fortigate to 192.168.1.84 (A device in the remote network) and I get the following:

2023-04-25 09:33:29 id=65308 trace_id=2830 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, PublicIP1:34502->192.168.1.84:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=34502, seq=0."
2023-04-25 09:33:29 id=65308 trace_id=2830 func=init_ip_session_common line=6073 msg="allocate a new session-1160b57d, tun_id=0.0.0.0"
2023-04-25 09:33:29 id=65308 trace_id=2830 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN2, tun_id=0.0.0.0"
2023-04-25 09:33:29 id=65308 trace_id=2830 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN2 vrf 0"
2023-04-25 09:33:29 id=65308 trace_id=2830 func=esp_output4 line=893 msg="IPsec encrypt/auth"
2023-04-25 09:33:29 id=65308 trace_id=2830 func=ipsec_output_finish line=629 msg="send to GW2 via intf-wan2"

 

Remember, if I ping from 192.168.2.241 to 192.168.1.84, it works.

The problem here is that the Fortigate is sending the ping using the public IP in WAN1 Interface.

Do you know why?

 

Thanks in advance.

Regards,

Damián

Damián Lozano
Damián Lozano
Labels
Top Kudoed Authors