We have a setup where we have 2 WAN links and 2 IPSec links (each tunnel on each wan link) connecting our small offices do DC.
On offices, we already have SD-WAN for WAN links and for the traffic through the tunnels we are still using main and backup based on route costs. We're having some problems when the main link is just not that good, with some packet loss and stuff. As the IPSec tunnel is not added to SD-WAN, the office firewall does not know about quality and rely on route cost only.
Ok, with that in mind, we started to put the IPSec tunnels (yet on offices) on the SD-WAN engine, so we could measure the quality INSIDE the tunnel and then, if necessary, switch the traffic. Remember that the establishment of the IPSec tunnels does not rely on SD-WAN, so the tunnel keeps up even with problems.
Before configuring 'IPSec SD-WAN ' on DC as well the officces, I did some switching tests: added a policy on DC blocking the traffic that the small office firewall would use to measure the availability of one of the IPSec tunnels. It measured and brought the link down in the Performante SLA. The thing is that as the, in the DC, the main route is the one I broke, the DC kept the traffic via the broken link, the office firewall received it and then the RPF engine dropped the packet (as it should!).
My questions are:
1) How to workaround this situation having SD-WAN on both sides? Configure SD-WAN with costs or via different SD-WAN policies (not that nice solution for SD-WAN)? Disable RPF? Any hints?
2) Looking at this setup, I already have a sd-wan rule with no source pointed (so it should consider all traffic) with destination to my dc network. In a 6.0.12 60E, I can self-originate traffic to DC normally. On a 6.2.7 60E, it doesn't work.
On both firewalls there is only one route poiting to the DC using SD-WAN as gateway.
3) If I have one route to 0.0.0.0/0 with SD-WAN as a gateway and then another route to 10.0.0.0/8 using IPSec as a gateway, which one the firewall would use for self-originating traffic? The documentation says that the sd-wan are policy-routes, so I am assuming that the firewall would use the SD-WAN engine, right? In the 6.2.7 firewall, it only works if I keep this IPSec route.
I am still testing this thing, and problably the problem is that I cannot simulate a packet loss link to get the SD-WAN working on both sides.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.