Hello folks !
Is my first time administering network resources and firewall in my Company.
And I get in trouble, in my scenario we have in my company 3 carriers using SDWAN to balance that links in case of faliure. One of this links I maked a vpn ipsec connection with other office. But in sometimes when I have a faliure in my links and I need use that link what I have a ipsec vpn, When I access my systems pages hosted in that datacenter via internet. My packages goes trought VPN tunnel, and not directly to the internet. The Network team from the other office analyse the traffic and gives to me 2 possibilites to solve this:
1- Make a ip pool with my 6 public ip, and build a Virtual Network interface. and route my packages to the internet using other public ip, using an IPV4 policy with a VIP attached to this rule to forward my trafic to other public ip from this carrier.
Or talk wit my carrier (in this case level 3) to activate other port in my Cisco router with other public ip disponible im my range and create an interface in my fortinet using that ip and forward my internet traffic to this public address.
What is the best Idea to solve this problem, and how can I do this ?
Best Regards !
Lucas Prado.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm not sure I'm understanding what you want to do accurately, but I interpreted you want to use additional public IPs to set up IPSec VPN to your datacenter and fail it over between 3 ISP circuits.
My direct answer would be it wouldn't work unless you have your own ASN and advertising the subnet of the additional public IPs to those three ISPs via BGP. If those additional IPs belong to one of (or some of) those three ISPs, even when you send IPsec packets with the IP to a different ISP's circuit, the returning packets from the datacenter is always coming back to the ISP who own the subnet and they try routing toward your circuit from the ISP and fails when the circuit is down.
Only solution I can see, if you're not advertising the subnet via BGP, is to set up two or three different IPSecs over different circuits toward the datacenter and use either different distance/priority static routes or one of routing protocols to set up fail-over between them. Datacenter side needs to have multiple public IPs to terminate multiple IPSecs too.
Toshi
lprado wrote:Hello folks !
Is my first time administering network resources and firewall in my Company.
And I get in trouble, in my scenario we have in my company 3 carriers using SDWAN to balance that links in case of faliure. One of this links I maked a vpn ipsec connection with other office. But in sometimes when I have a faliure in my links and I need use that link what I have a ipsec vpn, When I access my systems pages hosted in that datacenter via internet. My packages goes trought VPN tunnel, and not directly to the internet. The Network team from the other office analyse the traffic and gives to me 2 possibilites to solve this:
1- Make a ip pool with my 6 public ip, and build a Virtual Network interface. and route my packages to the internet using other public ip, using an IPV4 policy with a VIP attached to this rule to forward my trafic to other public ip from this carrier.
Or talk wit my carrier (in this case level 3) to activate other port in my Cisco router with other public ip disponible im my range and create an interface in my fortinet using that ip and forward my internet traffic to this public address.
What is the best Idea to solve this problem, and how can I do this ?
Best Regards !
Lucas Prado.
I guess a network diagram explaining your setup will definitely help us to better understand your problem.
Thanks,
Prab
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.