Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boneyard
Valued Contributor

SD-WAN and zones

we had a pretty nice zone based basic configuration for new implementation. this got more complicated when the sd-wan interface was introduced. because it acts a little different.

 

from 6.2.1 it is possible to create firewall policies on the interfaces that are part of the sd-wan interface.

 

it is also possible to add these interfaces to zone, so again it should be possible to create all firewall policies based on zones. which in my opinion makes way more sense, specially if you share WAN (public) and VPN connectivity (private) on one sd-wan interface.

 

anyone been working on this? issues or working fine?

 

it did some basic testing with vpn interfaces and ended up with being unable to run diagnose debug ike ... at some point getting this error

 

could not connect to virtual server on /tmp/iked_recv_socket

3 REPLIES 3
emnoc
Esteemed Contributor III

I'm 100% sure you can't put a sdwan virtual interface into a zone. Only real-physical or virtual-802.1q interfaces. You have a 6.2.x fortiOS with a "virtual-wan-link" in a  system zone, than share the cfg.

 

And another tip, you can not put a loop interfaces into a zone either.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
boneyard
Valued Contributor

yeah im aware you cant put the sd-wan interface in a zone. i was looking to put the interfaces which are part of the sd-wan interface in a zone

 

so like this

 

config system virtual-wan-link     set status enable     config members         edit 1             set interface "wan1"         next         edit 2             set interface "wan2"         next         edit 3             set interface "vpn-p1-wan1"         next         edit 4             set interface "vpn-p1-wan2"         next     end end config system zone     edit "zone-vpn"         set interface "vpn-p1-wan1" "vpn-p1-wan2"     next     edit "zone-wan"         set interface "wan1" "wan2"     next end

 

this actually is configuration wise possible and seems to work fine for wan, only for vpn it doesnt behave nicely.

Pablo_Molina

Hi all,

 

Do you have extra information about "could not connect to virtual server on /tmp/iked_recv_socket" error?

 

I'm getting this error when I try to execute some commands related to IPSec VPN Tunnels

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors