I would like to connect branch 80f fortgates to main HQ using sd-wan, conditions that must be meet:
1.branch internet is routed back thru HQ fortigate
2.access from internet like wan management and SSL VPN on branch should be possible
3.access to other lan subnets on branch side should be accessible.
Now my concerns:
1. If I create ipsec tunnels between HQ and branch in tunnel mode so remote branch subnet 22.214.171.124/24 will have in ipsec selector destination as 0.0.0.0/0 - then I will not have access to other local subnets on branch side because ipsec steal all traffic and push to HQ.
2.If I create ipsec in interface mode, then I need to create static route with destination like 0.0.0.0/0 and gateway ipsec interface - in this scenario, any incoming connection from internet like remote web management or SSL VPN will be pushed throught ipsec tunnel = no connection.
in point 1 you have to configure rule with local subnet 126.96.36.199/24 and destination 0.0.0.0/0 (internet), how then users from this local subnet will access to other local subnet 188.8.131.52/24 ? - this will not work
More specific routes take precedence. 184.108.40.206/24 is a more specific route than 0.0.0.0/0 so it will be chosen first. Any traffic that doesn't match any other specific routes will be sent to the default gateway. This is basic network routing.
That seems like really weird behaviour. But yes, IPsec in Fortigate (and many other vendor) selector only comes into play if the traffic is routed towards the interface that is attached to the IPSec tunnel.
So I will have two defaults routes, one in sd-wan rules with destination to 0.0.0.0/0 (internet) thru ipsec tunnel. And the second system default route with destination 0.0.0.0/0 thru wan1 (management, ssl vpn) right ?- will this work?
I would set the interface mode on the IPSEC with BGP personally. If you want to do static routes you can. Any connected interfaces will have priority in the route table over a static route so SSL-VPN will not be an issue. If want direct access into the fortigate from the wan but not have clients go out that same wan, then when you create the default route for the WAN port, set the distance the same as the route to the VPN tunnel but have a priority value on the route higher. This will allow it to be in the route table (to accept incoming connections) but will send data out the other wan port.
I'm trying to configure router in your way, first created two ipsec tunnels and added as sd-wan members "Centrala" but this is impossible to set priority to routes with destination 0.0.0.0/0 it always automatically set 1. So I have static route to ipsec SD-WAN zone with priority 1, and static route to virtual-wan-link priority 1.
The priorities would be if you are not using SD-WAN. If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic. If you never want internet traffic to go out the virtual-wan-link ports then you can adjust the interface cost under the SD-WAN zone/interface configuration.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.