We are new Fortigate users and switching from Sonicwall firewalls. I've been using our demo unit for a couple weeks now and have successfully configured the SD-WAN to work with both of our internet circuits. I understand how that works but what I would like to do is configure it to load balance ipsec vpn traffic.
At our datacenter we have a Sonicwall but at multiple sites they are going to be switched from Sonicwall to Fortigate's. Each site has one cable/dsl circuit as a backup and a fiber circuit as a primary. The fiber circuit has less bandwidth but obviously is more stable.
Our end goal is to be able to load balance and direct traffic across the VPN to our datacenter based on specific ports. For example we would want Citrix ICA traffic to take the circuit with less latency while other traffic utilize whatever is available. Is this possible? If it isn't possible since we have a Sonicwall at the datacenter end, is it possible if we had Fortinet's instead?
I ended up finding this article which is what it looks like I'm wanting (except I don't have a Fortigate at each end right now): http://kb.fortinet.com/kb/documentLink.do?externalID=FD41297
Attempting to get it working but unsuccessful so far.
A virt-wan link will probably not help. The only firewall that I know of that load balance ipsec native & across multiple ipsec-tunnel is forcepoint btw.
What you might beable to do is to build multiple route-base vpntunnel and run OSPF for ECMP between the peer and hubs. I would lab that out if you have a spoke that you can use and see if that is doable.
Ken Felix
PCNSE
NSE
StrongSwan
I'm able to use SD-WAN to load balance IPSec VPN tunnels when it's configured with SD-WAN the same way at the two ends. My problem is when I have more than 7 tunnels I get some "reverse path check failed, drop" but with 7 tunnels or less it works fine. I didn't really try to load balance some type of trafic on one link and the rest on the other one but I think it should work. I simply use one VPN and if I get a packet loss over 1% all traffic goes to the other VPN. I do the same with Internet links.
It seems like the over 7 tunnels is a firmware issue.
Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6
FortiAnalyzer, ForticlientEMS
We had configured separate VPN tunnels for each ISP interface (fiber/copper) and set the fiber VPN tunnel as primary and the copper VPN tunnel to monitor the primary tunnel. Once the secondary tunnel detect the primary tunnel went down, the secondary tunnel will take over and activate itself.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.