Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RDM
New Contributor

SD-WAN conflicts with VPN SSL + IPSEC + VIP ?

Hello,

I'm trying to improve my setup.

 

I have a new Fortigate units with 2 ISP: 1 primary and 1 backup under FortiOS 7.2.3.

 

So I followed this https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/431448/sd-wan-overview in order to add my wan1 and wan2 into virtual-wan-link. I configured a cost 0 on WAN1 and a cost 10 on WAN.

 

I added the default static route through virtual-wan-link. However, I cannot manage the distance and priority of this route and I'm not sure my VPNs (IPSEC + SSL) will continue to work.

 

When I created a VPN (without SDWAN), I used to create a static route to the VPN interface with a lower distance than my default route.

 

But now, I can only create a static route with the same priority. Will it work ?

 

I read this https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984... but not sure if it's mandatory ?

 

Unfortunately I cannot test right now. I need to create and prepare my setup before going into production. So i wonder if anyone already experiment a setup like mine:

  • SD WAN primary/backup for WAN1 and WAN2
  • SSL VPN / IPSEC / VIP on WAN1 ONLY

Do I need to configure something more or review my priority to get my VPNs working along my new SD Wan setup.

 

Let me know if you need more info or if it's not clear.

 

Thanks !

1 Solution
Julien87

Hi,

 

After our exchange in MP, the fortigate use the most strict route for your trafic vpn in your routing table.

 

You can close this post, if it's okay for you

 

have a nice day

 

 

Julien

View solution in original post

5 REPLIES 5
Julien87
Contributor

Hello RDM,

 

I have almost the same configuration as you, but with a centralized Internet output and advpn.
I recommend that you use the SDWAN Rules and SLA as indicated in the last link you put in order to ensure that the flow goes through the link you want.
I use this feature to distribute my load between my 2 vpn links for example.

 

 

Julien
RDM
New Contributor

Hi Julien,

Thanks for your answer.

So I would need to configure SD WAN rules for my IPSEC + VPN SSL + VIP traffic ?

However, I don't know what to create ? Do you have any example for  me ?

 

Julien87

Hi, SdWan rules only for your outboung traffic.  VPN SSL or VIP are allowed in your wan1 interface.

 

Best Regards,

 

Julien

 

Julien
RDM
New Contributor

Ok same for IPSEC, i guess ? So I don't need to do anything ?

What about my static route to my remote subnet which cannot be "before" my default one ?

 

 

Julien87

Hi,

 

After our exchange in MP, the fortigate use the most strict route for your trafic vpn in your routing table.

 

You can close this post, if it's okay for you

 

have a nice day

 

 

Julien