Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tim86
New Contributor III

Internet and IPsec in SD-WAN with static WAN-interface

 

Hi all!

 

I am working with a FortiGate firewall that has an internet connection with a static IP.

Our goal is to route the default gateway through an IPsec tunnel that breaks out via the headquarters.

 

When configuring SD-WAN, a default route (0.0.0.0/0.0.0.0) is created toward the SD-WAN zone.

Inside this SD-WAN setup, the IPsec tunnel is included with a performance SLA, so that the route is automatically disabled if the tunnel becomes unavailable.

 

In this case, traffic should then fail over to the physical WAN interface.

However, for the IPsec VPN, an inbound and outbound policy is required without NAT.

These policies are placed at the top of the policy list: from IPsec to SD-WAN, and from SD-WAN to IPsec.

The complication arises when the physical WAN interface is also placed inside the SD-WAN zone.

In that scenario, NAT is required; otherwise, internet traffic via the local ISP will not work.

 

One possible solution is to configure the physical WAN interface outside of SD-WAN. However, if the internet interface does not receive its IP address dynamically via PPPoE or DHCP, you must then manually configure a default route to the gateway.

 

The challenge here is that when a default route for SD-WAN already exists, it is not possible to create an additional default route on the internet interface pointing to the next hop.

This is the reason it only works with PPPoE and DHCP connections, since those automatically install a route into the routing table.

 

If I keep the physical WAN inside SD-WAN, I can technically create a third firewall policy from LAN to SD-WAN with NAT enabled. However, this policy will never be matched because the IPsec policies take precedence.

 

Does anyone have a solution for this scenario?

 

Best regards,

Tim

1 Solution
funkylicious
SuperUser
SuperUser

hi,

i would suggest creating 2 different SD-WAN zones, 1 for Underlay or Internet traffic where you put your WAN connections and 1 for Overlay or IPsec VPN traffic where you put your IPsec interfaces.

this way you can better control the traffic.

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/942095/sd-wan-members-and-zo... 

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
3 REPLIES 3
funkylicious
SuperUser
SuperUser

hi,

i would suggest creating 2 different SD-WAN zones, 1 for Underlay or Internet traffic where you put your WAN connections and 1 for Overlay or IPsec VPN traffic where you put your IPsec interfaces.

this way you can better control the traffic.

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/942095/sd-wan-members-and-zo... 

"jack of all trades, master of none"
"jack of all trades, master of none"
tim86
New Contributor III

This was too easy, works like a charm.

Thank you!

tim86
New Contributor III

But of course! That hadn’t clicked yet, I think this will definitely solve the problem!
I’m going to test this!

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors