Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
le00nek
New Contributor

Created on ‎02-15-2024 03:00 PM Edited on ‎02-26-2024 03:05 AM By Community Manager

SDWAN with one WAN and IPSEC

Hello colleagues, maybe someone can help. I have configured an SDWAN, which consists of two WAN interfaces. Everything is working properly. I want to force a route to the specified IP addresses through one link and the rest through the other. I configured SD-WAN rules, a rule on the firewall internal-->sdwan with NAT and it works fine. Now on one of them I made an ipsec VPN. Also I added it to SDWAN and I am trying to force the same operation. The problem is that I need to add the same rule for ipsec VPN but without NAT, only on FG I see only one SDWAN interface. So if I don't set NAT then WAN2 works, and if I don't set NAT then IPSEC works. I watched a tutorial for SDWAN with two VPNs, but that is not applicable here. Fortigate 60f and  7.0.13 firmware on board.

 

Labels:
683
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-15-2024 03:20 PM Edited on ‎02-15-2024 03:23 PM

NAT or no NAT is NOT in the SD-WAN rules but in FW policies, right? Then why can't you separate policies by the destinations (specific ones and the rest) then set the first one without NAT and the second one for the rest (any) with NAT?

Toshi

View solution in original post

665
6 REPLIES 6
hjezzapaula
Staff
Staff

Created on ‎02-15-2024 03:10 PM

Hi,

You might want to create a different sdwan zone, one for overlay and another for underlay network.

673
0 Kudos
mricardez
Staff
Staff

Created on ‎02-15-2024 03:11 PM

Hi le00nek,

 

You can use Zone in SDWAN to separate wan members , in your setup you can use

 

Zone > Underlay to Wan1 and Wan2 member

Zone > Overlay IPSec1 and IPSec2 member

 

Then you can reference the policies to your SDWAN Zone according your NAT requirements.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/942095/sd-wan-members-and-zo...

 

Regards

TAC Enginner
669
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-15-2024 03:20 PM Edited on ‎02-15-2024 03:23 PM

NAT or no NAT is NOT in the SD-WAN rules but in FW policies, right? Then why can't you separate policies by the destinations (specific ones and the rest) then set the first one without NAT and the second one for the rest (any) with NAT?

Toshi

666
mricardez
Staff
Staff

Created on ‎02-15-2024 03:30 PM

SDNWA rules just to steer traffic from one zone to another.

 

The firewall policy to configure security options, you can enable SNAT on it.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/798274/configuring-firewall-...

TAC Enginner
661
adimailig
Staff
Staff

Created on ‎02-15-2024 06:46 PM

You may refer to below guide on how to separate Internet and VPN into SDWAN Zone.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

I also suggest not to use 0.0.0.0/0 (all) on your IPSEC VPN static route.

Best Regards,

Arnold Dimailig
TAC Engineer
637
le00nek
New Contributor

Created on ‎02-16-2024 12:52 AM

Thank you all for your quick response. Actually it was enough to change the destination and now everything works. I guess I was a little frazzled yesterday. I'll do some more lab with the two SDWANs. Thanks a lot !!!

595
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.