Hello colleagues, maybe someone can help. I have configured an SDWAN, which consists of two WAN interfaces. Everything is working properly. I want to force a route to the specified IP addresses through one link and the rest through the other. I configured SD-WAN rules, a rule on the firewall internal-->sdwan with NAT and it works fine. Now on one of them I made an ipsec VPN. Also I added it to SDWAN and I am trying to force the same operation. The problem is that I need to add the same rule for ipsec VPN but without NAT, only on FG I see only one SDWAN interface. So if I don't set NAT then WAN2 works, and if I don't set NAT then IPSEC works. I watched a tutorial for SDWAN with two VPNs, but that is not applicable here. Fortigate 60f and 7.0.13 firmware on board.
Solved! Go to Solution.
NAT or no NAT is NOT in the SD-WAN rules but in FW policies, right? Then why can't you separate policies by the destinations (specific ones and the rest) then set the first one without NAT and the second one for the rest (any) with NAT?
Toshi
Hi,
You might want to create a different sdwan zone, one for overlay and another for underlay network.
Hi le00nek,
You can use Zone in SDWAN to separate wan members , in your setup you can use
Zone > Underlay to Wan1 and Wan2 member
Zone > Overlay IPSec1 and IPSec2 member
Then you can reference the policies to your SDWAN Zone according your NAT requirements.
Regards
NAT or no NAT is NOT in the SD-WAN rules but in FW policies, right? Then why can't you separate policies by the destinations (specific ones and the rest) then set the first one without NAT and the second one for the rest (any) with NAT?
Toshi
SDNWA rules just to steer traffic from one zone to another.
The firewall policy to configure security options, you can enable SNAT on it.
You may refer to below guide on how to separate Internet and VPN into SDWAN Zone.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...
I also suggest not to use 0.0.0.0/0 (all) on your IPSEC VPN static route.
Thank you all for your quick response. Actually it was enough to change the destination and now everything works. I guess I was a little frazzled yesterday. I'll do some more lab with the two SDWANs. Thanks a lot !!!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.