Hi guys,
I am trying to setup a hub and spoke topology using ADVPN with branches on VPN dial up. The Hub has 2 WAN interfaces with public IPs but on the other hand the branches sit behind 2 CPEs (2 different ISP connections). Saying that, the 2 wan interfaces of the branches get private IPs from the CPEs. I successfully get the branches to establish VPN dial up connections to the hub using their WAN interfaces and as a result, I have 4 VPN tunnels with the following structure.
Tunnel 1 Hub WAN1 - Branch WAN1
Tunnel 2 Hub WAN1 - Branch WAN2
Tunnel 3 Hub WAN2 - Branch WAN1
Tunnel 4 Hub WAN2 - Branch WAN2
The above scenario works ok but the problem starts when we want to add more wan connections to both Hub and branch. If the Hub and branch have 3 WANs then the tunnels become 9 and so on.
I would like to make the branches to use a loopback interface as an initiator on the dial up VPN connection so I can minimize the number of the tunnels. So in the scenario with 2 WAN interfaces on the branch, I will always have 2 active tunnels instead of 4. If one of the wan interfaces of the branch is down, then again 2 active tunnels will be available cos the loopback could still perform a dial up connection to the WANs of the HUB using the 2nd active WAN interface of the branch. I must also say that the WAN interfaces of both hub and branch belong to SD-WAN zone.
However, It seems that the above scenario it does not work for me and I am not sure if it is because the loopback (private Ip) is on fortigate which is behind a NAT device (CPE). Again, using the WAN interfaces (private IPs) of the fortigate the VPN dialup works fine. On the loopback is the issue.
Is it any official documentation using a loopback for VPN dialup or any similar case that someone can share.
Many Thanks
Please check the following article
https://community.fortinet.com/t5/FortiGate/Technical-Tip-ADVPN-with-BGP-on-loopback/ta-p/262007
Hi Mrinmoy,
Thank you very much for your response!
Nonetheless, correct me if I am wrong, but according to the link the loopbacks are being used to establish the BGP between the Hub and the spokes. The VPN on the spokes still use the wan interfaces. In my scenario, I'd like the spokes to use a loopback to establish the VPN dialup and not the WANs.
At the topology on the link, I see 2 issues. If one of the WAN links of the spoke fails, then there will be only one VPN tunnel available. And this is due to one-to-one VPN connections between the Hub and Spoke.
Tunnel_1 Spoke WAN1 to Hub WAN1
Tunnel_2 Spoke WAN2 to Hub WAN2
But if the loopback would be set as the interface for the VPN on the spoke, always will be 2 available VPN tunnels to the spoke, regardless if the spoke has 2 available WANs or 1.
Spoke with 2 available WANs
Tunnel_1 Spoke Loopback to Hub WAN1 (via Spoke WAN1)
Tunnel_2 Spoke Loopback to Hub WAN2 (via Spoke WAN1)
Spoke with 1 available WANs
Tunnel_1 Spoke Loopback to Hub WAN1 (via Spoke WAN2)
Tunnel_2 Spoke Loopback to Hub WAN2 (via Spoke WAN2)
Furthermore, at the topology on the link I must assign manually the IP address on the Spoke's loopback. In my case, I'd like the Hub to serve the IP addresses to the spokes which it is something the works ok.
Again, I am not sure if what I am saying above it is doable though.
Thanks
Hello Nick,
Loopback interface is going to be used for bgp connection.
if wan 1 goes down on spoke then there is another tunnel we can used using wan2.
Hub fortigate will not serve ip address to loopback interface.
Hi Tpatel,
Thank you very much for your reply. I do understand that BGP will be performed by the loopback interfaces but as you say if wan 1 goes down then there will be only 1 available tunnle from wan 2. My goal is to have always 2 tunnels available, regardless if the both WANs are active or one of them. So I would like to use the loopback not for BGP but for the dial up VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.