Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AMINET
New Contributor

Purpose of tunnel interface ip when use sd wan

Hi

In many tutorials when configuring ipsec vpn via sd wan that the tunnel interface must have an IP address, so my question is what is the purpose of this IP address and if the sd wan can work without ?

 

 

THANKS

1 Solution
vbandha
Staff
Staff

The tunnel interface IP is used for the traffic originating from fortigate itself to travel on the tunnel.
Without that, this traffic would use the exit interface IP, which would be the WAN interface IP and it would not be able to go on the tunnel

The reason we do this in SD WAN is because fortigate is sending traffic for SLA or ping for checking if the link is still up
To allow all this traffic to go across the tunnel, we have to define tunnel interface IP and add it to the phase 2 selectors.

So now when Fortigate sends all this traffic on tunnel, it would use the tunnel interface IP.

Here are some articles which you can refer for more information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Self-originating-traffic-over-IPSec-VPN-Fo...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

View solution in original post

1 REPLY 1
vbandha
Staff
Staff

The tunnel interface IP is used for the traffic originating from fortigate itself to travel on the tunnel.
Without that, this traffic would use the exit interface IP, which would be the WAN interface IP and it would not be able to go on the tunnel

The reason we do this in SD WAN is because fortigate is sending traffic for SLA or ping for checking if the link is still up
To allow all this traffic to go across the tunnel, we have to define tunnel interface IP and add it to the phase 2 selectors.

So now when Fortigate sends all this traffic on tunnel, it would use the tunnel interface IP.

Here are some articles which you can refer for more information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Self-originating-traffic-over-IPSec-VPN-Fo...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors