Hello,
I am trying to know if it is possible to do SDWAN for Internet trafic and trafic going through two IPsec tunnels (the endpoint on the other side will be MX Meraki). The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have atcive-active links for VPN IPsec trafic. But with the SDWAN feature, maybe there is a subtility which can make this possible :) So the purpose is to loadbalance the Internet trafic and VPN trafic between the two WAN interfaces thanks to the SDWAN feature. Besides, I do not have a way to test it for the moment so this is just a theoritical question.
Thanks in advance,
Thomas
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Thomas_AA
Yes, you can config your two IPSEC link as active-active to load-balance your traffic by SD-WAN algorithm.
Please take a look at this document which is very helpful http://cookbook.fortinet....oyment-example-expert/
For detailed configuration, if you need, please put specific requirement and topology here. Keep in touch!
Hi Thomas, thanks for quick response!
Thomas_AA wrote:
It is just that for 2 public IP addresses which are my IPsec endpoints, that will be my primary tunnels, and for two others public IP addresses, the tunnels will be backup.
So you have two tunnels on each WAN link?
Here is my topology, focusing on your branch fw.
Hi Ericli,
Yes, I have two tunnels for each WAN link (one to the primary remote FW and the other one for the backup remote FW and as i need to use SDWAN, it makes me four tunnels). In your topology, for the four IPsec tunnels, the remote subnet is the same 10.0.0.0/8. And I do not have other traffic which should go on a VPN tunnel ( I do not have 11.0.0.0/8 for example). All traffic which does not match 10.0.0.0/8 are considered as normal traffic and goes through Internet interfaces (WAN1 and WAN2).
Thomas_AA wrote:Yes, I have two tunnels for each WAN link (one to the primary remote FW and the other one for the backup remote FW and as i need to use SDWAN, it makes me four tunnels).
Hi Thomas,
Thanks for reply.
So on each wan link, you need to configure 2 tunnels, and these 2 tunnels are going to 2 different remote firewalls? Am I right?
Eric
Hi Eric,
Yes exactly, you are right. But on the two remote firewalls (one is primary, the other one backup), i have the same subnet (10.0.0.0/8).
Thomas
Hi Thomas, if so, I wonder how you configure your routing on the branch firewall? For subnet 10.0.0.0/8, which interface should the packet send out from?
Hi Eric,
Well, this is the aim of my post :) In my first post, i wrote :
" The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have active-active links for VPN IPsec trafic. But with the SDWAN feature, maybe there is a subtility which can make this possible :)"
For me, with my Fortinet knowledge, this is not possible but i was expecting that with SDWAN feature, it was possible.
Hi Eric,
Do you have a feedback for me ? Can you confirm that it is possible or not please ? :)
Thanks,
Thomas
Hi Thomas, Sorry for late reply. I've been working on other projects these days. Yes, the answer is yes, it's doable. Now it's like this. (port33 10.1.100.125/24) (10.1.100.165/24 internal1) FGT-A< ISP > FGT-B (port34 172.16.200.125/24) (172.16.200.165/24 internal2) 1. Configure 2 route-based ipsec vpn tunnel on this two links:
FGT-A:
FGT2KE3916900014 # sh vpn ipsec phase1-interfaceFGT-B
config vpn ipsec phase1-interface
edit "20-1"
set interface "port33"
set peertype any
set proposal aes128-sha1
set remote-gw 10.1.100.165
set psksecret ENC PdgvsxmwUXSpLgbh01QwJLXveno5TG6kHfTDuudEyLh9XDFQ0uGvLFib3e/Osv8kVH4FebQJSRLij5X5nUCsSXwiDpzg176fUp+GFGv2q+L9oR55eYClOBgwTcfb1WaFekbOAuWCv6wwPrmRqmFBYcnTle8OnqHAzWdbP1Y9W4SYXMmz5L3ZSeg4nJ1YG9Lj5pafFg==
next
edit "30-1"
set interface "port34"
set peertype any
set proposal aes128-sha1
set remote-gw 172.16.200.165
set psksecret ENC HpHW9i1GcNxStnOVgxERVrLWC0DbwCixKXJ4W8zFYijQQajBZBkPkQxL0c6yz2CfCfzAht/plKd84apTTlRdRqPhpBaCEQC78Blai004c9D2DC83YFNzY92wemt6cuVzIYDLEE1DpVftIBM/6GmWjsaEgUP4BudsTyLyrAs+DK/zpEOEJXeT/G5bHlVuk3CzoM0lGQ==
next
end
FW60EJTK18000005 # sh vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "20-1"
set interface "internal1"
set peertype any
set proposal aes128-sha1
set remote-gw 10.1.100.125
set psksecret ENC gOhBODotKU5i/v+oppOQHBG00RJvdXfpkHHxx8bTpn01KVREgXbvWHtjVYw3pcTake75d/ONebp8I2LXmG6kN+p3OgsPBmQQrXYWuDDCv2exN8WWGuzMRfLqY+dCCHBnbGyI1q4ZKfZ/SvHrVg6vK1wQazBCaANynKyC3QAiM847ie50D+BuwMxA2mBqx0l7eHWoPA==
next
edit "30-1"
set interface "internal2"
set peertype any
set proposal aes128-sha1
set remote-gw 172.16.200.125
set psksecret ENC Y9pM8HkYoxmxvPG9nvVgiVFff88lxWHAHFlbzK3TcSb/g6NQDN+jJNg0X0LbjbbQufvsBpYj48sW2uoJZiqNLNQAD0e5YOb46+GJCSzQT8kDDERUmtFQi7bFion3hHCDK63lVzYq3Bp8WUbO4U1Vikt2AKGUzD0Lm8efgjC3jGQ5/w3eueeIQlgEndj1S6g462SWgQ==
next
end
2. Create a policy for IKE.
FGT-A:
config firewall policy
edit 1
set uuid 3674c742-31e4-51e8-8d9e-5ef09ebba45f
set srcintf "20-1"
set dstintf "port33"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 0a558d16-31e6-51e8-72c8-ae2103dce40d
set srcintf "30-1"
set dstintf "port34"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
FGT-B
config firewall policy
edit 1
set uuid ff3324da-31df-51e8-db07-53e475ddf936
set srcintf "20-1"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 3ef847ca-31e6-51e8-c31a-f4ef5cbe1b4b
set srcintf "30-1"
set dstintf "internal2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
3. Configure the tunnel interfaces:
FGT-A:
FGT2KE3916900014 # sh sys interface 20-1
config system interface
edit "20-1"
set vdom "root"
set ip 1.1.1.125 255.255.255.255
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
set type tunnel
set remote-ip 1.1.1.165
set role wan
set snmp-index 43
set interface "port33"
next
end
FGT2KE3916900014 # sh sys interface 30-1
config system interface
edit "30-1"
set vdom "root"
set ip 2.2.2.125 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 2.2.2.165
set role wan
set snmp-index 44
set interface "port34"
next
end
FGT-B:
FW60EJTK18000005 # sh sys interface 20-1
config system interface
edit "20-1"
set vdom "root"
set ip 1.1.1.165 255.255.255.255
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap
set type tunnel
set remote-ip 1.1.1.125
set role wan
set snmp-index 13
set interface "internal1"
next
end
FW60EJTK18000005 # sh sys interface 30-1
config system interface
edit "30-1"
set vdom "root"
set ip 2.2.2.165 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 2.2.2.125
set role wan
set snmp-index 14
set interface "internal2"
next
end
4. These two pairs of tunnel interfaces should be reachable from each.
FGT2KE3916900014 # execute ping 2.2.2.165
PING 2.2.2.165 (2.2.2.165): 56 data bytes
64 bytes from 2.2.2.165: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 2.2.2.165: icmp_seq=1 ttl=255 time=0.1 ms
^C
--- 2.2.2.165 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
FGT2KE3916900014 # execute ping 1.1.1.165
PING 1.1.1.165 (1.1.1.165): 56 data bytes
64 bytes from 1.1.1.165: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 1.1.1.165: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 1.1.1.165: icmp_seq=2 ttl=255 time=0.1 ms
^C
--- 1.1.1.165 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
5. On these two pairs of vpn tunnel interfaces, you could configure SD-WAN:
FGT-A:
FGT2KE3916900014 # sh sys virtual-wan-link
config system virtual-wan-link
set status enable
config members
edit 1
set interface "20-1"
set gateway 1.1.1.165
next
edit 2
set interface "30-1"
set gateway 2.2.2.165
next
end
end
I suggest you configure SD-WAN via GUI because it's fully functional and much easier.
6. If you need to route two same subnet via SD-WAN, there are two possible solutions, depends on your ISP. If your ISP support VxLAN, you could encapsulated your 10.0.0.0/8 from FGT-A and send it to FGT-B. If your ISP doesn't, you could use firewall VIP to solve this. But if you need to use VIP solution, you need to configure it before you configure SD-WAN. Please let me know if you need detailed information about this.
Hi Eric,
Thanks for your reply and the configuration example. About the point 6, the ISP does not support VxLAN. But yes, if you can give me further information about the VIP, it would be great. This solution is more adapted to us.
Thanks in advance,
Thomas
Hi Thomas,
Basically you need to configure:
1. Create a VIP:
config firewall vip
edit "1"
set comment "loop1"
set extip 192.168.165.165 ### This is the IP address for your remote site
set extintf "20-1" ### This is the tunnel interface
set mappedip "10.10.10.165" ### This is your internal subnet e.g. 10.0.0.0/8
next
end
2. You need to create a new firewall policy to implement this VIP as destination address:
config firewall policy
edit 3
set srcintf "20-1" ### This is your tunnel interface, where external traffic comes in from
set dstintf "loop1" ### This interface connect to your internal network 10.0.0.0/8
set srcaddr "all"
set dstaddr "1" ### This is the VIP your create in step 1
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
3. You need to configure a new static route in your remote site.
config router static
edit 1
set dst 192.168.165.165 255.255.255.255
set device "20-1"
next
end
4. Step 1,2,3, replicate in remote site.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.