Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Thomas_AA
New Contributor

SDWAN feature for Internet and VPN IPsec trafic

Hello,

I am trying to know if it is possible to do SDWAN for Internet trafic and trafic going through two IPsec tunnels (the endpoint on the other side will be MX Meraki).  The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have atcive-active links for VPN IPsec trafic. But with the SDWAN feature, maybe there is a subtility which can make this possible :) So the purpose is to loadbalance the Internet trafic and VPN trafic between the two WAN interfaces thanks to the SDWAN feature. Besides, I do not have a way to test it for the moment so this is just a theoritical question.

 

Thanks in advance,

 

Thomas

1 Solution
ericli_FTNT

Hi Thomas_AA

 

Yes, you can config your two IPSEC link as active-active to load-balance your traffic by SD-WAN algorithm.

 

Please take a look at this document which is very helpful http://cookbook.fortinet....oyment-example-expert/

 

For detailed configuration, if you need, please put specific requirement and topology here. Keep in touch!

View solution in original post

21 REPLIES 21
Thomas_AA
New Contributor

Hi everyone,

 

Anyone to help me on this question ? :(

 

Thanks in advance for your feedbacks :)

 

Thomas

ericli_FTNT

Hi Thomas_AA

 

Yes, you can config your two IPSEC link as active-active to load-balance your traffic by SD-WAN algorithm.

 

Please take a look at this document which is very helpful http://cookbook.fortinet....oyment-example-expert/

 

For detailed configuration, if you need, please put specific requirement and topology here. Keep in touch!

Thomas_AA

Hello Ericli,

 

Thanks for your feedback, I appreciate. I read the document. In the customer's topology, we do not use BGP but the design is similar except the fact that we have the same subnet behind DC 1 FGT and DC 2 FGT (the LAN side).

So from what I understand, we can loadbalance thanks to the SDWAN feature both VPN (tunnel interfaces) and Internet (WAN interfaces) traffic at the same time thanks to the remote subnets, can you confirm ? :)

So typically, in the cookbook's design, we can loadbalance traffic to the same subnet 10.200.1.0/24 if I understand. For the configuration, is it route based VPN ? If yes, with SDWAN, by configuring two static routes for the same remote subnet with each tunnel interface as next hop, it is possible to loadbalance traffic, can you confirm too ? :)

 

Thanks in advance for your help, do not hesitate to ask further information if needed.

 

Thomas

ericli_FTNT

Hi Thomas,

 

You are welcomed! If possible, please upload a concept diagram or a text topology. So I could try to give you a sample of configuration.

Thomas_AA

Hi Ericli,

 

You are right, this is always better with a schema :) You can find it in attachment (this is a macro logical schema). So typically, I have Internet traffic through the WAN1 and WAN2 interfaces that I need to loadbalance. I have also two IPsec tunnels per WAN interfaces (two IPsec tunnels to the FW DC1 primary and two tunnels to the FW DC2 backup). Behind these two FW DCs, I have the same subnet (10.0.0.0/8). And i need to loadbalance too all the IPsec traffic which has 10.0.0.0/8 as subnet destination. (It should take the primary IPsec tunnels except if the FW DC1 primary goes down, the traffic should be sent to the FW DC2 backup). If not, then it should be forwarded and loadbalanced to the WAN interfaces through the Internet.

 

Here is the scenario description. Do not hesitate if you need further information.

 

Thanks in advance !

 

Thomas

 

ericli_FTNT

It seems that there is no attachment.

Thomas_AA

Hi Ericli,

 

Yes sorry, I did not succeed to attach a png image, it did not work. So I did the schema in ascii mode :p You can find it in the txt file.

 

Thanks again,

 

Thomas

ericli_FTNT

Thomas_AA wrote:

Hi Ericli,

 

Yes sorry, I did not succeed to attach a png image, it did not work. So I did the schema in ascii mode [attach=https://forum.fortinet.com/download.axd?file=0;159223&where=message&f=ascii sdwan.txt]ascii sdwan.txt[/attach] :p You can find it in the txt file.

 

Thanks again,

 

Thomas

Thanks Thomas, that's good enough! So let me repeat your requirements:

 

1. WAN1 is the primary IPSEC link and WAN2 is the secondary (failover)

2. WAN1 and WAN2 should load-balance traffic by 50-50 when both are alive

3. If WAN1 failed, all traffic would be going on WAN2 and vice a versa.

 

And I am not so sure about:

 

1. Between WAN1 and WAN2, when both links are working, you want traffic going to 10.0.0.0/8 to be load-balanced. Right? But you mentioned that you want to make WAN1 as primary. So the load-balance would be 60-40?

2. If one of WAN1 or WAN2 failed, traffic would be failed-over onto the other link. Right?

 

I will give you a walk-through config sample once we confirmed.

Thomas_AA

Ericli,

 

In my ASCII schema, i wanted to separate Internet traffic and IPsec traffic. But the two primary IPsec tunnels will go through WAN1 and WAN2 interfaces (one tunnel over WAN1 and the other over WAN2). Only traffic with 10.0.0.0/8 as destination subnet should take the IPsec tunnels. So I do not have really WAN1 as primary and WAN2 as backup.

It is just that for 2 public IP addresses which are my IPsec endpoints, that will be my primary tunnels, and for two others public IP addresses, the tunnels will be backup.

I confirm the failover and load balancing parts. But do not forget that i do not want only VPN traffic for SDWAN, i need also that all traffic which does not match 10.0.0.0/8 as destination should be loadbalanced through WAN1 and WAN2 interfaces.

 

I hope all that make sense for you :) Do not hesitate to ask me further information if not.

 

Thanks in advance,

Best regards,

 

Thomas

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors