Hi all,
I have been playing around with the VPN's on my fortigates and was able to a connection and traffic flowing no problem. My goal though, is to allow the VPN connections to use my SD-WAN interface(2 x 1 Gbps links) so that I can get some type of redundancy on the VPN side. My initial goal is for Forticlient connectivity for my users, but once the transition is completed, I do want to look at Site-to-Site VPN for some remote locations.
I was suggested to create a loopback interface since you cannot point to an SD-WAN interface for VPN configuration. Is that the best way to achieve my redundant link? Is there anything else or someone that could give me a quick config look so I can apply it to my environment?
Thanks for the help,
Benoit
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can ignore my original post. Through some documentation and trial and error, I found the right configuration.
Thanks,
Ben
Hi Ben,
I'm pretty much trying to achieve the same thing... what is your recipe ? :)
Thanks
JF
Hi JF,
I can definitely try pointing you in the right direction. Hopefully the way I achieve it is recommended :) I'm sure others can chime in if they see something wrong.
For me, I wanted to have the VPN portion on it's own public IP(we have a full class B so that isn't an issue). I'm sure you could apply this config with a Nat'ed IP if you had to.
Step 1 - Create your Loopback Interface and assign it the IP of your choice, apply WAN role and allow PING temporarily to be sure you can reach the interface from outside.(testing in Step 6)
Step 2 - Create an Address object for your Loopback Interface IP.(optional)
Step 3 - Create a Static Route using Named Address with Destination(loopback Address you just created or insert IP), Device being your LAN interface(in my case, I have an LACP connection to my Core), Gateway 0.0.0.0.
Step 4 - Create your IPSEC(or SSLVPN) Tunnel and point the Interface to the Loopback Interface you created in Step 1. To start, I simply went through the IPSEC wizard and followed the instructions and assigned a local account to allow access
Step 5 - Create your IPv4 Policy to allow External access to the Loopback interface(IKE,HTTPS,PING services suffice to allow IPSEC and SSLVPN and allow your ping test). This would have your SDWAN as the incoming interface and Loopback Interface at the Outgoing. In my case, NAT was turned off as I am using a Public IP.
Step 6 - Confirm you can ping your Loopback interface.
Step 7 - You should have 3 IPv4 polices to have this work.
The new policy from your SD-WAN to the Loopback Interface. The policy created from your IPSEC tunnel to your LAN interface with your Client VPN subnet as source
The policy created from your IPSEC tunnel to your SDWAN interface with NAT turned on towards your Outgoing Interface Address.
Hopefully I didn't forget anything. If you have any other questions, don't hesitate to let me know.
Ben
Hi Ben!
I just found your post and it is exactly, what I am looking for, but at the moment, the VPN does not come up. Can you give me a hint about what I was doing wrong?
The goal is to be able to use the VPN-Tunnel through WAN1 and WAN2. At the moment, it is working through WAN1, if I user WAN1 as interface in Phase 1 IPSEC.
On branch office-FG:
- Create Loopback-Interface, name Loopback01 with IP 10.99.99.1 and role WAN, Ping allowed --> OK
- Create Address object "10.99.99.1/32" name LoopbackAddress, Type Sbunet, Interface ANY
- Create Static Route (FIRST QUESTION), Destination "Named Address LoopbackAddress", Gateway 0.0.0.0, Interface Loopback01, Distance 10??
--> I do not understand that static route
- IPSEC-Tunnel (change Interface to Loopback01)
- Create IPv4-Policy, WAN1 to Loopback01 ANY Allow (as test)
- Test Ping Loopback From Which Interface should it be "pingable"
--> IPSEC does not come up.
Thank you for your help!
KPS
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.