IPSEC & SSLVPN Loopback Interface connection for redundant WAN connectivity
I have been playing around with the VPN's on my fortigates and was able to a connection and traffic flowing no problem. My goal though, is to allow the VPN connections to use my SD-WAN interface(2 x 1 Gbps links) so that I can get some type of redundancy on the VPN side. My initial goal is for Forticlient connectivity for my users, but once the transition is completed, I do want to look at Site-to-Site VPN for some remote locations.
I was suggested to create a loopback interface since you cannot point to an SD-WAN interface for VPN configuration. Is that the best way to achieve my redundant link? Is there anything else or someone that could give me a quick config look so I can apply it to my environment?
I can definitely try pointing you in the right direction. Hopefully the way I achieve it is recommended :) I'm sure others can chime in if they see something wrong.
For me, I wanted to have the VPN portion on it's own public IP(we have a full class B so that isn't an issue). I'm sure you could apply this config with a Nat'ed IP if you had to.
Step 1 - Create your Loopback Interface and assign it the IP of your choice, apply WAN role and allow PING temporarily to be sure you can reach the interface from outside.(testing in Step 6)
Step 2 - Create an Address object for your Loopback Interface IP.(optional)
Step 3 - Create a Static Route using Named Address with Destination(loopback Address you just created or insert IP), Device being your LAN interface(in my case, I have an LACP connection to my Core), Gateway 0.0.0.0.
Step 4 - Create your IPSEC(or SSLVPN) Tunnel and point the Interface to the Loopback Interface you created in Step 1. To start, I simply went through the IPSEC wizard and followed the instructions and assigned a local account to allow access
Step 5 - Create your IPv4 Policy to allow External access to the Loopback interface(IKE,HTTPS,PING services suffice to allow IPSEC and SSLVPN and allow your ping test). This would have your SDWAN as the incoming interface and Loopback Interface at the Outgoing. In my case, NAT was turned off as I am using a Public IP.
Step 6 - Confirm you can ping your Loopback interface.
Step 7 - You should have 3 IPv4 polices to have this work.
The new policy from your SD-WAN to the Loopback Interface.
The policy created from your IPSEC tunnel to your LAN interface with your Client VPN subnet as source
The policy created from your IPSEC tunnel to your SDWAN interface with NAT turned on towards your Outgoing Interface Address.
Hopefully I didn't forget anything. If you have any other questions, don't hesitate to let me know.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.