Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LorenzoManfrin
New Contributor II

Created on ‎04-14-2025 01:09 PM

FORTIGATE SDWAN WITH IPSEC OVER MPLS AND DIA

Hi all,

i have 3 branches with MPLS link to HQ and a DIA access.

We have only one ISP that manages two different connections for every branch. The ISP give me the possibility to use the local internet connection as a DIA in every branch. The ISP manages the redundancy of MPLS and internet link between the two different connection they provide.

 

I want to build an IPSEC tunnel over the MPLS for security reasons and use this also to route some particular internet traffic. In case this link goes down I need to route all the internet traffic through the DIA. I always need the possibility to use the DIA for other traffic.

 

Branches does not need to talk each other.

 

This is the network scheme. I only manage fortigates. Routers are managed by the ISP. I've coloured the path that i want to implement.

 

Screenshot 2025-04-14 160407.png

 

- Should I use SDWAN to manage that?

- Do I need BGP?

- How do i manage route changes and nat changes?

 

 

Labels:
1300
0 Kudos
1 Solution
Atul_S
Staff & Editor
Staff & Editor

Created on ‎04-14-2025 08:03 PM

Hi Lorenzo,

 

SDWAN would be a wise option to control the traffic traversing IPSEC to HQ and the local Internet breakout point. Since Branches are not supposed to talk to each other, I dont see a point of having a BGP unless the number of LAN prefixes behind each branch and HQ are huge. But having a BGP would be better for scalability and also takes care of the route changes. NAT change for the outgoing traffic will be taken care based on the routing exit gateway and SDWAN.

 

Please also refer the below docs for your reference as well:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MPLS-and-IPSEC-tunnel-redundancy-with-link...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-implementing-SD-WAN-ove...

 

Thanks,

 

Atul Srivastava

View solution in original post

1273
6 REPLIES 6
Atul_S
Staff & Editor
Staff & Editor

Created on ‎04-14-2025 08:03 PM

Hi Lorenzo,

 

SDWAN would be a wise option to control the traffic traversing IPSEC to HQ and the local Internet breakout point. Since Branches are not supposed to talk to each other, I dont see a point of having a BGP unless the number of LAN prefixes behind each branch and HQ are huge. But having a BGP would be better for scalability and also takes care of the route changes. NAT change for the outgoing traffic will be taken care based on the routing exit gateway and SDWAN.

 

Please also refer the below docs for your reference as well:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MPLS-and-IPSEC-tunnel-redundancy-with-link...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-implementing-SD-WAN-ove...

 

Thanks,

 

Atul Srivastava
1274
LorenzoManfrin
New Contributor II
In response to Atul_S

Created on ‎04-14-2025 11:58 PM

Hi Atul,

thanks.

I have a lot of lan prefixes behind each branch and I like the idea of more scalability and build a future proof architecture, so I think I'll go with BGP.

By the way I don't have any experience with BGP. Where can I learn something about it related to this architecture?

 

Thanks.

1255
0 Kudos
LorenzoManfrin
New Contributor II
In response to syordanov

Created on ‎04-15-2025 04:49 AM

Thanks i'll have it a look.

1222
0 Kudos
Atul_S
Staff & Editor
Staff & Editor
In response to LorenzoManfrin

Created on ‎04-15-2025 02:31 PM

Hi Lorenzo,

 

You may refer to the videos below for a demo for more understanding. However, pls do validate your configurations before implementation. The links below are for reference only, and I have not verified the content correctness of the video links. The second link will help you understand the BGP concept in detail and I find it very useful.

 

https://www.youtube.com/watch?v=W7-AlzTJy0s

 

https://www.youtube.com/watch?v=G0qDnqOKwOE&list=PLvEPp6phNrC-5Pjsb-jHjFXDbEF7NKCGQ

 

Apart from that, you may refer to the document below as well.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-routing-BGP-over-IPsec-tunnel/ta-p...

 

Thanks,

Atul Srivastava
1188
0 Kudos
LorenzoManfrin
New Contributor II
In response to Atul_S

Created on ‎04-16-2025 01:19 PM

Thanks Atul, great contents!

I've drawn the final diagram for the network.

 

Screenshot 2025-04-16 221114.png

Some details aren't clear to me.

 

I've learnt that I can assign only one router-id to every Fortigate.

 

Does this router-id need to communicate with other routers id? If so how can i manage that since every tunnel has it's one subnet?

 

In the diagram I've used the router-id only as an identifier thinking that the communication will be done via tunnel router's addresses. Maybe the "update source" options will help.

 

Am I wrong?

 

Thanks.

1147
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.