Dears,
I have build an SD-WAN project for one of my customers that has 2 wan links (ISP1 with public IP, ISP2 F5 modem). Once I come to VPN configuration to connect all branches, I used to go with a dual-up hub and spoke. I have created the VPN in the normal way from VPN category.
I have seen a document was explaining how to create VPN under SD-WAN as link below, but still I'm not sure if that scenario was helpful to my case, as I have 2 WAN one of them only with public IP. Im not sure what is the difference between creating VPN from VPN category or from SD-WAN to be added as a member!?
Pls can anyone explain and advise about the difference if we have 2 public ips, or in my case 1 public and 1 5G modem with private IP.
thanks
well if the public ip is direclty on the wan interface of the Fortigate you can connect directly.
In the other case you have a hop in between (modem) so the Fortigate does not directly have the public ip of this wan. For IPSec that means that you may have to forward 500/udp (IPSec) and probably 4500/udp (NAT-T) on that modem to your Fortigate to be able to connect that IPSec.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Dear osaleem2_10,
If one of the ISPs provides a private IP address, make sure that the DDNS is configured on your HUB, so you can use an FQDN on the spokes , because you are not sure when the ISP will change the public IP address .
Useful KB how to configure DDNS you can find bellow :
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/685361/ddns
Like sw2090 mentioned, NAT-T to 'forced' will be good as well.
Regarding the setup, first configure the IPSec and then add to the SD-WAN configuration.
Best regards,
Fortinet
I appreciate your reply. It's clear, thanks. But still, I'm not sure about the VPN point.
Does configuring the VPN as a member under SD-WAN, or by the normal way from VPN tunnel make any difference?
@osaleem2_10 , the order is :
- configure the VPN (phase-1/phase-2), then automatically will be created an VPN interface
- Once the VPN interface is created, you can add to as SD-WAN member to one of the zones .
As long as you don't want redundance/failover there is no need for sdwan.
if you need/want redundance/failover then sdwan is the easiest way.
Just configure two ipsecs that have the same destination (p2 quickselectors) and create an sdwan-zone with these as members. Then just create an sdwan rule for the zone to tell sdwan when to use wich ipsec (do loadblancing or just failover etc) and then just set a route to your destination(s) using the sdwan zone as interface. Then you just need some policies to allow traffic (plus ipsec will not come up if there is not at least one policy referring to it) and that's it.
sdwan will then take care for the routing corresponding to its rules.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
oh forgot to mention: sdwanvpn will not work correctly with dialup tunnels at least when they are in iterface mode because it cannot correctly determine the tunnel statuses due to dial up connections being enumerated.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks for your reply. This was my concern.
regarding to my VPN, actually I don't need VPN redundant. only I need to connect some branches "spokes" to my HQ "hub". I was using dialup VPN not ADVPN as no need for spokes to have a direct connection to each other only to hub. as u mentioned, that's not correct. kindly let me know the replacement solution.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.