- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: IPSEC & SSLVPN Loopback Interface connection f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC & SSLVPN Loopback Interface connection for redundant WAN connectivity
Hi all,
I have been playing around with the VPN's on my fortigates and was able to a connection and traffic flowing no problem. My goal though, is to allow the VPN connections to use my SD-WAN interface(2 x 1 Gbps links) so that I can get some type of redundancy on the VPN side. My initial goal is for Forticlient connectivity for my users, but once the transition is completed, I do want to look at Site-to-Site VPN for some remote locations.
I was suggested to create a loopback interface since you cannot point to an SD-WAN interface for VPN configuration. Is that the best way to achieve my redundant link? Is there anything else or someone that could give me a quick config look so I can apply it to my environment?
Thanks for the help,
Benoit
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can ignore my original post. Through some documentation and trial and error, I found the right configuration.
Thanks,
Ben
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ben,
I'm pretty much trying to achieve the same thing... what is your recipe ? :)
Thanks
JF
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi JF,
I can definitely try pointing you in the right direction. Hopefully the way I achieve it is recommended :) I'm sure others can chime in if they see something wrong.
For me, I wanted to have the VPN portion on it's own public IP(we have a full class B so that isn't an issue). I'm sure you could apply this config with a Nat'ed IP if you had to.
Step 1 - Create your Loopback Interface and assign it the IP of your choice, apply WAN role and allow PING temporarily to be sure you can reach the interface from outside.(testing in Step 6)
Step 2 - Create an Address object for your Loopback Interface IP.(optional)
Step 3 - Create a Static Route using Named Address with Destination(loopback Address you just created or insert IP), Device being your LAN interface(in my case, I have an LACP connection to my Core), Gateway 0.0.0.0.
Step 4 - Create your IPSEC(or SSLVPN) Tunnel and point the Interface to the Loopback Interface you created in Step 1. To start, I simply went through the IPSEC wizard and followed the instructions and assigned a local account to allow access
Step 5 - Create your IPv4 Policy to allow External access to the Loopback interface(IKE,HTTPS,PING services suffice to allow IPSEC and SSLVPN and allow your ping test). This would have your SDWAN as the incoming interface and Loopback Interface at the Outgoing. In my case, NAT was turned off as I am using a Public IP.
Step 6 - Confirm you can ping your Loopback interface.
Step 7 - You should have 3 IPv4 polices to have this work.
The new policy from your SD-WAN to the Loopback Interface. The policy created from your IPSEC tunnel to your LAN interface with your Client VPN subnet as source
The policy created from your IPSEC tunnel to your SDWAN interface with NAT turned on towards your Outgoing Interface Address.
Hopefully I didn't forget anything. If you have any other questions, don't hesitate to let me know.
Ben
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ben!
I just found your post and it is exactly, what I am looking for, but at the moment, the VPN does not come up. Can you give me a hint about what I was doing wrong?
The goal is to be able to use the VPN-Tunnel through WAN1 and WAN2. At the moment, it is working through WAN1, if I user WAN1 as interface in Phase 1 IPSEC.
On branch office-FG:
- Create Loopback-Interface, name Loopback01 with IP 10.99.99.1 and role WAN, Ping allowed --> OK
- Create Address object "10.99.99.1/32" name LoopbackAddress, Type Sbunet, Interface ANY
- Create Static Route (FIRST QUESTION), Destination "Named Address LoopbackAddress", Gateway 0.0.0.0, Interface Loopback01, Distance 10??
--> I do not understand that static route
- IPSEC-Tunnel (change Interface to Loopback01)
- Create IPv4-Policy, WAN1 to Loopback01 ANY Allow (as test)
- Test Ping Loopback From Which Interface should it be "pingable"
--> IPSEC does not come up.
Thank you for your help!
KPS
Related Posts
Labels
-
FortiGate
6,450 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.