we had a pretty nice zone based basic configuration for new implementation. this got more complicated when the sd-wan interface was introduced. because it acts a little different.
from 6.2.1 it is possible to create firewall policies on the interfaces that are part of the sd-wan interface.
it is also possible to add these interfaces to zone, so again it should be possible to create all firewall policies based on zones. which in my opinion makes way more sense, specially if you share WAN (public) and VPN connectivity (private) on one sd-wan interface.
anyone been working on this? issues or working fine?
it did some basic testing with vpn interfaces and ended up with being unable to run diagnose debug ike ... at some point getting this error
could not connect to virtual server on /tmp/iked_recv_socket
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm 100% sure you can't put a sdwan virtual interface into a zone. Only real-physical or virtual-802.1q interfaces. You have a 6.2.x fortiOS with a "virtual-wan-link" in a system zone, than share the cfg.
And another tip, you can not put a loop interfaces into a zone either.
Ken Felix
PCNSE
NSE
StrongSwan
yeah im aware you cant put the sd-wan interface in a zone. i was looking to put the interfaces which are part of the sd-wan interface in a zone
so like this
config system virtual-wan-link set status enable config members edit 1 set interface "wan1" next edit 2 set interface "wan2" next edit 3 set interface "vpn-p1-wan1" next edit 4 set interface "vpn-p1-wan2" next end end config system zone edit "zone-vpn" set interface "vpn-p1-wan1" "vpn-p1-wan2" next edit "zone-wan" set interface "wan1" "wan2" next end
this actually is configuration wise possible and seems to work fine for wan, only for vpn it doesnt behave nicely.
Hi all,
Do you have extra information about "could not connect to virtual server on /tmp/iked_recv_socket" error?
I'm getting this error when I try to execute some commands related to IPSec VPN Tunnels
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.