Hello,
I am trying to know if it is possible to do SDWAN for Internet trafic and trafic going through two IPsec tunnels (the endpoint on the other side will be MX Meraki). The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have atcive-active links for VPN IPsec trafic. But with the SDWAN feature, maybe there is a subtility which can make this possible :) So the purpose is to loadbalance the Internet trafic and VPN trafic between the two WAN interfaces thanks to the SDWAN feature. Besides, I do not have a way to test it for the moment so this is just a theoritical question.
Thanks in advance,
Thomas
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Thomas_AA
Yes, you can config your two IPSEC link as active-active to load-balance your traffic by SD-WAN algorithm.
Please take a look at this document which is very helpful http://cookbook.fortinet....oyment-example-expert/
For detailed configuration, if you need, please put specific requirement and topology here. Keep in touch!
Hi Eric,
Can you explain to me the notion of VIP here ? For me, the term VIP for Fortigate is for destination NAT.
And what about the route configuration ? Do I still need to configure two static routes for 10.0.0.0/8 ?
When you wrote "IP address for your remote site", you mean the Public IP of the remote firewall ?
Thanks again for your help
yes, you are right. It's dst nat.
On fgt-a, it dst-nat the internal subnet as 192.168.165.165
On fgt-b, it dst-nat the internal subnet as 192.168.125.125
So you don't need,actually you would not be able to, route 10.0.0.0/8 between your two edge devices. If you configure a static route for 10.0.0.0/8, your edge device couldn't tell which interface to go for 10.0.0.0/8, internal or external.
Because you need to let the edge device knows how to get the right destination.
If you you didn't do the dst-nat, the edge device will be confused when it received an packet with dst as your internal subnet. Right?
Imagine that if you have two same subnets in different locations, on your edge device, would there be two routes, with same dst but different out going device? it doesn't make sense.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.