Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TSTelecom
New Contributor II

Created on ‎07-25-2024 05:55 AM

Multiple IPsec tunnels between head and branches, using SDWAN

 

 

Hello,

 

I am implementing a scenario where I will have a headquarters and several branches, connected through IPSec tunnels.

 

In the headquarters firewall I will have a fixed public IP address and in the branches I will have internet links with dynamic IP addresses (CGNAT and LTE/4G).

 

I need to connect two IPsec tunnels per branch with the headquarters, one tunnel for each WAN and I need to use SDWAN to control this traffic and define the SLA for each tunnel.

 

I already have this working format using IPsec SDWAN, where I create 1 tunnel for each link.

However, at headquarters, I only have one WAN interface and I use it in all tunnels with branches. Could this cause me some kind of problem? I've already noticed that when I make a change on the matrix side in a tunnel, it momentarily "drops" the connection in the other tunnels.


What is correct on the head office side, considering that I only have 1 WAN interface, is to have 1 tunnel for each branch?

 

Today I have 1 tunnel for each branch link, for example, branch 1 has two WANs, so I have an IPsec tunnel for WAN1 and another IPsec tunnel for WAN2, and so on. Always using FQDN because the public IP is dynamic on the branch side.

 

My question is whether this configuration I am using is recommended for this connection format.

 

vpn fortinet.png

 

 

Labels:
1146
0 Kudos
1 Solution
TSTelecom
New Contributor II

Created on ‎07-31-2024 10:22 AM

Everything indicates that applying the "set replay disable" configuration in the phase2-interface of the tunnels resolved the problem.

View solution in original post

857
0 Kudos
8 REPLIES 8
kaurs
Staff
Staff

Created on ‎07-25-2024 06:13 AM

Hello,
From the description, topology looks good. You are already using sdwan so that will take care of tunnels redundancy. And it is normal to have multiple tunnels on the HQ side as well. 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FortiGate-SD-WAN-with-an-IPSEC-V...

1136
TSTelecom
New Contributor II
In response to kaurs

Created on ‎07-25-2024 01:12 PM

 

Hello,

 

Thanks for your answer!

 

The scenario works correctly, except for the fact that instabilities occur in the Performance SLA when I make any changes to another existing tunnel, but I am carrying out other tests to better understand this behavior.

1089
SonaMuvv
Staff
Staff
In response to TSTelecom

Created on ‎07-25-2024 03:16 PM

Hello,

Could you please specify what kind of changes are you making on the tunnel that is causing the instability in SLA.

Also you can view 10 minute history of SLA logs in CLI and monitor the behavior:

diagnose sys sdwan sla-log PingSLA 1

https://docs.fortinet.com/document/fortigate/7.0.15/administration-guide/943037/monitoring-performan...

1064
TSTelecom
New Contributor II
In response to SonaMuvv

Created on ‎07-26-2024 05:11 AM

 

Hello,

 

I noticed that the problem always occurs when establishing another IPsec tunnel with the same remote operator.

For example, I have an IPsec tunnel connecting headquarters with branch 1 through ISP X in branch 1.

 

When connecting an IPsec tunnel between headquarters and branch 2, through the same ISP in branch 2, that is, the public IP of the two branches being in the same range, it generates a momentary drop in the SLA of branch 1, that is, it seems to me that the creation of the tunnel in branch 2, generates instability in the tunnel in branch 1 due to the fact that the public IP is from the same operator and in the same range.

 

In my settings on the matrix side I set the localid (which is the same for all tunnels, my public IP address, I also have the remotegw-ddns of each branch in each tunnel. Do you think the localid on the matrix side can be What causes this instability?

1003
0 Kudos
rishab444
Staff
Staff

Created on ‎07-25-2024 03:34 PM

Hello @TSTelecom ,
What are you using under your performance SLA ? its is sometimes better to use loopback interfaces as they are more stable. 

 

You might need to run a sniffer for source and destination and see what side is actually causing the problem.

#dia sniffer packet any 'host <source IP> and host <destination IP>' 4 01

 

1061
rishab444
Staff
Staff
In response to rishab444

Created on ‎07-28-2024 02:39 PM

Hello @TSTelecom,

If you make any changes on WAN of the hub that could cause interruption, it is always going to impact the other tunnel as its also part for same WAN.

Setting IP on the tunnel interface can also assist in these scenarios.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-Tunnel-ID-expected-behavior/ta-p/240...

958
0 Kudos
TSTelecom
New Contributor II
In response to rishab444

Created on ‎07-29-2024 05:04 AM

Hello,

 

Thank you for your suggestion, I will apply the IP address to the tunnel interface and monitor the behavior.

 

Answering the other question, yes, I use Performance SLA to monitor the connection, I use it on both sides and on both sides I monitor the Fortinet interface on the remote end.

 

Is it correct to use Performance SLA at the headquarters and branch? Or would it be ideal to only use it at the branch?

915
0 Kudos
TSTelecom
New Contributor II

Created on ‎07-31-2024 10:22 AM

Everything indicates that applying the "set replay disable" configuration in the phase2-interface of the tunnels resolved the problem.

858
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.