I am trying to know if it is possible to do SDWAN for Internet trafic and trafic going through two IPsec tunnels (the endpoint on the other side will be MX Meraki).
The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have atcive-active links for VPN IPsec trafic.
But with the SDWAN feature, maybe there is a subtility which can make this possible :)
So the purpose is to loadbalance the Internet trafic and VPN trafic between the two WAN interfaces thanks to the SDWAN feature. Besides, I do not have a way to test it for the moment so this is just a theoritical question.
Thanks for your feedback, I appreciate. I read the document. In the customer's topology, we do not use BGP but the design is similar except the fact that we have the same subnet behind DC 1 FGT and DC 2 FGT (the LAN side).
So from what I understand, we can loadbalance thanks to the SDWAN feature both VPN (tunnel interfaces) and Internet (WAN interfaces) traffic at the same time thanks to the remote subnets, can you confirm ? :)
So typically, in the cookbook's design, we can loadbalance traffic to the same subnet 10.200.1.0/24 if I understand. For the configuration, is it route based VPN ? If yes, with SDWAN, by configuring two static routes for the same remote subnet with each tunnel interface as next hop, it is possible to loadbalance traffic, can you confirm too ? :)
Thanks in advance for your help, do not hesitate to ask further information if needed.
You are right, this is always better with a schema :) You can find it in attachment (this is a macro logical schema). So typically, I have Internet traffic through the WAN1 and WAN2 interfaces that I need to loadbalance. I have also two IPsec tunnels per WAN interfaces (two IPsec tunnels to the FW DC1 primary and two tunnels to the FW DC2 backup). Behind these two FW DCs, I have the same subnet (10.0.0.0/8). And i need to loadbalance too all the IPsec traffic which has 10.0.0.0/8 as subnet destination. (It should take the primary IPsec tunnels except if the FW DC1 primary goes down, the traffic should be sent to the FW DC2 backup). If not, then it should be forwarded and loadbalanced to the WAN interfaces through the Internet.
Here is the scenario description. Do not hesitate if you need further information.
Yes sorry, I did not succeed to attach a png image, it did not work. So I did the schema in ascii mode [attach=https://forum.fortinet.com/download.axd?file=0;159223&where=message&f=ascii sdwan.txt]ascii sdwan.txt[/attach] :p You can find it in the txt file.
Thanks Thomas, that's good enough! So let me repeat your requirements:
1. WAN1 is the primary IPSEC link and WAN2 is the secondary (failover)
2. WAN1 and WAN2 should load-balance traffic by 50-50 when both are alive
3. If WAN1 failed, all traffic would be going on WAN2 and vice a versa.
And I am not so sure about:
1. Between WAN1 and WAN2, when both links are working, you want traffic going to 10.0.0.0/8 to be load-balanced. Right? But you mentioned that you want to make WAN1 as primary. So the load-balance would be 60-40?
2. If one of WAN1 or WAN2 failed, traffic would be failed-over onto the other link. Right?
I will give you a walk-through config sample once we confirmed.
In my ASCII schema, i wanted to separate Internet traffic and IPsec traffic. But the two primary IPsec tunnels will go through WAN1 and WAN2 interfaces (one tunnel over WAN1 and the other over WAN2). Only traffic with 10.0.0.0/8 as destination subnet should take the IPsec tunnels. So I do not have really WAN1 as primary and WAN2 as backup.
It is just that for 2 public IP addresses which are my IPsec endpoints, that will be my primary tunnels, and for two others public IP addresses, the tunnels will be backup.
I confirm the failover and load balancing parts. But do not forget that i do not want only VPN traffic for SDWAN, i need also that all traffic which does not match 10.0.0.0/8 as destination should be loadbalanced through WAN1 and WAN2 interfaces.
I hope all that make sense for you :) Do not hesitate to ask me further information if not.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.