- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SD-WAN Internet Traffic over IPSec VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN Internet Traffic over IPSec VPN
I found a heap of posts discussing how to configure, route, and allow Branch internet traffic over an IPSec VPN to HQ, to utilise the HQ internet connection. I cannot, however, find any posts that discuss my specific situation and issue.
HQ Site - FortiGate 100F
Branch Site - FortiGate 100F
In my scenario, the Branch site and HQ site both have their own independent internet connections, as well as a direct site-to-site fibre link. The HQ site has an FTTP connection that I'd like to have both sites using, but should either the FTTP connection or the site-to-site fibre link go down, I'd want the Branch internet traffic to then go out its own internet connections.
I configured a /30 subnet for each end of the site-to-site fibre link (10.10.10.1 <> 10.10.10.2), created an IPSec VPN to secure the traffic, configured the required routes, firewall policies, etc, and got the LAN traffic routing properly.
Because I want the Branch internet traffic to use the HQ FTTP connection primarily but also have the ability to use the Branch internet connections in the event of either a HQ FTTP failure or a site-to-site fibre link failure, I figured I would need to add the site-to-site fibre link to the SD-WAN I created on the Branch FG that handles the internet connections... however... I already have the site-to-site fibre link IPSec VPN interface in another SD-WAN that manages the site-to-site LAN traffic. This SD-WAN consists of multiple site-to-site IPSec VPNs between the two sites including the site-to-site fibre link IPSec VPN to allow for better traffic management, load balancing, scalability, flexibility, and redundancy.
This being the case, I added the site-to-site fibre link interface (not the IPSec VPN interface) to my Branch SD-WAN managing the internet traffic. Ideally, we'd prefer the internet traffic to also traverse the site-to-site fibre link IPSec VPN, but not essential, and can't see any way of achieving that currently, so not a big deal.
Here's my issue - I cannot get the internet traffic at the Branch site to tranverse the site-to-site fibre link and go out the HQ FTTP connection.
At the Branch here's what I've configured:
- SD-WAN Member defined using the site-to-site Fibre link interface (10.10.10.2/30) with the gateway configured as 10.10.10.1 (tried 0.0.0.0, didn't work either)
- Added site-to-site Fibre link interface SD-WAN Member to the SD-WAN that manages the Branch internet traffic
- Default Static Route directing traffic to the SD-WAN that manages the Branch internet traffic
- Firewall policy allowing traffic from a test device at Branch to the Branch SD-WAN that manages the internet traffic
- Central SNAT policy defining all traffic from a test device at Branch to the site-to-site fibre link interface to have NAT disabled
At HQ:
- Site-to-site Fibre link interface (10.10.10.1/30)
- Default Static Route directing traffic to the SD-WAN that manages the HQ internet traffic
- Firewall policy allowing traffic from a test device at Brance to the HQ SD-WAN that manages internet traffic
- Central SNAT policy defining all traffic from the Branch test device to the HQ FTTP connection to have NAT enabled
The traffic appears to be going out the Branch firewall policy, but the HQ firewall policy does not show the same traffic. I've checked the implicit Deny policy at the HQ end, but it doesn't show the traffic either.
Any insights would be greatly appreciated :)
Labels:
- Labels:
-
FortiGate
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello gilmourspace,
Thank you for your detailed explanation.
I believe flow debug outputs for the above case will give us some idea of what is happening exactly at the backend.
Hence please collect the below command outputs from both devices
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x
diagnose debug flow filter proto 1
diagnose debug flow trace start 1000
diagnose debug enable
NOTE: x.x.x.x is the destination IP.
Please make sure you initiate ping traffic only as the filter is applied for ICMP only in the above debugs.
Regards
Nagaraju.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi knagaraju,
Thanks for the reply. After running those diags and checking the routing table, it seems the site-to-site fibre link interface has been excluded in the routing table for some reason... The other members of the internet SD-WAN are there, but the site-to-site fibre link is not. Will continue to investigate today. Thanks for your assistance, I'll update this thread once the issue has been resolved :)
Related Posts
- sd-wan issue 43 Views
- Force the routing of a domain... 113 Views
- FortiGate Inspection mode used on the... 206 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 281 Views
- Connect Fortigate to internet with 2... 256 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.