Hello, we are just starting to implement SD-WAN and I have a question on how to setup IPsec tunnels because I am sure I am overlooking something or making things more complicated than they are.
If both sites have a Primary WAN and a Secondary WAN, do I have to create 4 tunnels and 8 policies to make all the possible combinations to keep the traffic flowing at all times without manual intervention or is there a better way to accomplish that?
IPsec tunnel source | IPsec tunnel destination | Primary WAN | Secondary WAN |
Fortigate 1 | Fortigate 2 | WAN1 | WAN2 |
Fortigate 1 | Fortigate 2 | WAN1 | BACKUP WAN |
Fortigate 1 | Fortigate 2 | BACKUP WAN | WAN2 |
Fortigate 1 | Fortigate 2 | BACKUP WAN | BACKUP WAN |
Fortigate 2 | Fortigate 1 | WAN2 | WAN1 |
Fortigate 2 | Fortigate 1 | BACKUP WAN | WAN1 |
Fortigate 2 | Fortigate 1 | WAN2 | BACKUP WAN |
Fortigate 2 | Fortigate 1 | BACKUP WAN | BACKUP WAN |
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What type of ipsec tunnels are you creating ? Is it ADVPN HUB and spoke or is this a site to site vpn tunnel? Yes, for the failover purposes, it would be best to create two tunnels on each wan link i.e four tunnels but you don’t need to create 8 policies because you can enable multi interface policies. So if all these tunnels will allow the same phase 2 selectors, with multi interface policies you just need two policies
Hello Krissie,
For redundancy purposes and SDWAN implementation yes you would need 2 overlays. For the next part it depends on what topology you would like to implement. If it's a sort of full mesh where every FGT is connected to every FGT then yes you would need policies for all the SDWAN zones you would create. Since the IPSEC tunnels will be part of SDWAN you will use the SDWAN interface in the policy. (not the tunnel interfaces itself)
If you are implementing a sort of HUB-SPOKE topology or ADVPN you can refer to the below documentation:
https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/783373/hub-and-spoke-sd-wan-...
https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-sd-branch-architecture-for-mssps/151899/ba...
Hope this helps.
Enea
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.