I saw several similar problems on this forum, but not exactly like this.
So,
I have: ISP1, ISP2 ,ISP3 links. First two are in sd-wan mode. And I used it for surfing. ISP3 used for business network. My branch office used vpn site to site, and connect over ISP3.
My static route is:
0.0.0.0 -> sd-wan
x.x.x.x -> ISP3
... other routes
x.x.x.x is branch office ip but dynamic change every 24h. So tha vpn to work I have to manually change the address. And this is a problems.
1. I try replace 0.0.0.0 -> sd-wan with 0.0.0.0 -> ISP3 and set SD-WAN in Policy Routes. But I cant add SD-WAN interface in Policy Routing Rules. Only per interface. So that is not solution.
2. I try add ISP3 to member sd-wan, and used sd-wan rules. But If I make this, I cant use independent interface ISP3 to Firewall Policy. Also not solution.
Before Fortigate I used Checkpoint, and that vendor have option to set outgoing interface for vpn, independently of static routes.
Is there anything like Fortigate and what is option for this case?
Thanks
Rade
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2. I try add ISP3 to member sd-wan, and used sd-wan rules. But If I make this, I cant use independent interface ISP3 to Firewall Policy. Also not solution.
config vpn ipsec phase1-interface
edit "<phase1-name>"
set interface "<outgoing-interface-name>"
next
end
It doesn't matter if it's an SD-WAN member or not. So you can specify any interface, ISP1, 2, or 3.
Toshi
This is not work, I I've already put it, you can't do phase 1 without it.
Created on 01-09-2022 10:18 AM Edited on 01-09-2022 10:21 AM
Still need a default route toward ISP3 since the IP changes. How about a static default route to ISP3 with high number (lower) priority? That would make the local FGT respond to the remote end when the remote initiates the session. You might need to change the IPSec to aggressive (IKEv1) or dynamic (IKEv2) for the local FGT not to intitiate itself because it would go out via SD-WAN side. But it would be ignored on the remote end if the remote has "static" IPSec.
2. I try add ISP3 to member sd-wan, and used sd-wan rules. But If I make this, I cant use independent interface ISP3 to Firewall Policy. Also not solution.
This solution 2. is helped, so I must create new sd-wan zone with only ISP3, first zone (ISP1+ISP2). In static route I have:
0.0.0.0 -> zone1
0.0.0.0 -> zone2
with same priority,
in sd-wan rules I have rules for local traffic to go over zone1.
Thanks
For 2. why do you have to set a separate policy for the VPN traffic to ISP3? You have a set of policies for VPN toward SD-WAN but it would never apply to the traffic to ISP1&2 because the matching traffic never go to the direction based on the SD-WAN rules for the VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.