Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Branch fortigate setup advice needed

Hi,

I would like to connect branch 80f fortgates to main HQ using sd-wan, conditions that must be meet:

1.branch internet is routed back thru HQ fortigate

2.access from internet like wan management and SSL VPN on branch should be possible

3.access to other lan subnets on branch side should be accessible.

 

Now my concerns:

1. If I create ipsec tunnels between HQ and branch in tunnel mode so remote branch subnet 172.50.1.0/24 will have in ipsec selector destination as 0.0.0.0/0 - then I will not have access to other local subnets on branch side because ipsec steal all traffic and push to HQ.

2.If I create ipsec in interface mode, then I need to create static route with destination like 0.0.0.0/0 and gateway ipsec interface - in this scenario, any incoming connection from internet like remote web management or SSL VPN will be pushed throught ipsec tunnel = no connection.

 

How could I resolve this issues?

27 REPLIES 27
aahmadzada
Staff
Staff

Hi @Tutek , SDWAN rules will help to properly route the traffic.

All you need is to properly configure the SDWAN rules.

 

I would go in this way:

 

1. Traffic traversing the Fortigate destined for the HQ and Internet to be routed via SDWAN rules towards the HQ via IPSEC tunnels.

2. management access to Branch FGT and sslvpn via static default routes.

 

Ahmad

Ahmad
Tutek

Hi,

in point 1 you have to configure rule with local subnet 172.50.1.0/24 and destination 0.0.0.0/0 (internet), how then users from this local subnet will access to other local subnet 172.50.2.0/24 ? - this will not work

gfleming

More specific routes take precedence. 172.50.2.0/24 is a more specific route than 0.0.0.0/0 so it will be chosen first. Any traffic that doesn't match any other specific routes will be sent to the default gateway. This is basic network routing.

Cheers,
Graham
Tutek

So I came from microtik where ipsec selectors don't care even on locally connected subnets what is in ipsec selectors then it is steal by ipsec.

gfleming

That seems like really weird behaviour. But yes, IPsec in Fortigate (and many other vendor) selector only comes into play if the traffic is routed towards the interface that is attached to the IPSec tunnel.

Cheers,
Graham
Tutek

So I will have two defaults routes, one in sd-wan rules with destination to 0.0.0.0/0 (internet) thru ipsec tunnel. And the second system default route with destination 0.0.0.0/0 thru wan1 (management, ssl vpn) right ?- will this work?

distillednetwork
Contributor III

I would set the interface mode on the IPSEC with BGP personally.  If you want to do static routes you can.  Any connected interfaces will have priority in the route table over a static route so SSL-VPN will not be an issue.  If want direct access into the fortigate from the wan but not have clients go out that same wan, then when you create the default route for the WAN port, set the distance the same as the route to the VPN tunnel but have a priority value on the route higher.  This will allow it to be in the route table (to accept incoming connections) but will send data out the other wan port.

 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

 

Tutek
Contributor

I'm trying to configure router in your way, first created two ipsec tunnels and added as sd-wan members "Centrala" but this is impossible to set priority to routes with destination 0.0.0.0/0 it always automatically set 1. So I have static route to ipsec SD-WAN zone with priority 1, and static route to virtual-wan-link priority 1.

 

Tutek_0-1668531411026.png

 

 

distillednetwork
Contributor III

The priorities would be if you are not using SD-WAN.  If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic.  If you never want internet traffic to go out the virtual-wan-link ports then you can adjust the interface cost under the SD-WAN zone/interface configuration.

 

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/328009/interface-cost

 

Labels
Top Kudoed Authors