Mastering Site-to-Site IPSec Tunnel & SD-WAN Setup on Fortigate
ฝัง
- เผยแพร่เมื่อ 25 มิ.ย. 2024
- Learn how to configure a Site-to-Site IPSec Tunnel & SD-WAN with this step-by-step tutorial using FortiGate. Master the basics of FortiGate, SD-WAN, and IPSec VPN in one video! Dual site-to-site IPSec tunnels and basic SD-WAN configuration with 2 tunnels as member interfaces.
====================
Chapters
====================
00:00 Intro
0:12 Intro, Topology and Objectives
1:40 Initial verifications
3:00 Remote Fortigate firewall - Primary IPSec VPN Tunnel, static route & Firewall Policy
9:44 Local Fortigate firewall - Primary IPSec VPN Tunnel, static route & Firewall Policy
16:19 Verify Fortigate VPN tunnel status and reachability between sites
17:14 Local Fortigate firewall - Secondary IPSec VPN Tunnel interface, static route & Firewall Policy
23:26 Remote Fortigate firewall - Secondary IPSec VPN Tunnel, static route & Firewall Policy
28:18 Remote Fortigate Firewall - Validating traffic flow over separate IPSec Tunnels
30:21 Create SDWAN on Fortigate Firewall: Critical basics for successful operation
#fortigate #cybersecurity - วิทยาศาสตร์และเทคโนโลยี
OMG! A South African!!!! Subscribed the moment I heard "My name is Tegobo" I want to recreate our SD-WAN, hoping to get insight from your channel.
Hi sis, thank you 🤣
This particular video is up for a redo, I definately plan to go deeper on SDWAN because there’s so much to it
Great work Tebogo
South Africa or Zimbabwe? Good to see a brother from Southern Africa doing same thing. First time watching and just subscribed :)
Thank you Tamba, I’m from SA.
Thank you for this terrific video. It is one of the better ones, with such clarity, detail and nice easy pace.
I wanted to ask, if it is necessary, as i notice you did not deleted them, to keep the original static routes that were configured first, before the SDWAN routes were configured or, only the SDWAN routes are required?
keep up the good work.
Hi Anil
Remember the order of priority, SDWAN & PBR will have a higher priority and be processed first before static and dynamic routing protocol routes…every time!
Also, please think of SDWAN as overlay technology that it is, all overlay technologies require underlay infrastructure, so our physical layer must be converged and have full reachability in order for SD-WAN or VPN to function.
Great video! One of the best I could find!
i have one doubt though:
I have a project that will use basically the same structure you build here. Multiple sites with two or three IPSec VPN connecting to our DC using SDWAN. My question is: Is there a chance and impact that the inbound traffic uses one tunnel and the outbound uses another? If yes, the fortigate has a better way to organize the packets in case they arrive in different order? i'm asking because we use very sensitive applications that will not work as expected in case this problem happens
I tried to setup a lab on EVE, but the fortigates license expired and I couldn't continue my studies. Do you know if there is a way to extend or completely reset the appliances?
Thanks again for your videos. Keep up the good work
Hi Filipe
Thank you for checking out my videos.
The FortiGate divide traffic equally between the interfaces included in the SD-WAN interface. But by default, sessions that start at the same source IP address use the same path, so all you need to do is make sure that when you select your load-balancing method you specify Source-ip, in CLI it’s “source-ip-based”. Then you should be fine.
Another thing you can do is play with weights of your individual member interfaces to prefer a certain interface within the bundle.
Also you can create rules to force specific traffic over a certain sdwan interface member with another interface as fallback.
Fortinet has made it sooo very granular to deploy sdwan. Let me know when you’ve come right otherwise I could prepare another lab going deeper into sdwan specifically addressing your config scenario.
Best of luck
Greatest Video on Fortigate SDWAN with IPSEC,
I have to do the similar thing with 2 IPsec VPNs on two WAN links. in our environment all the data go through these VPN to DC and then goes to internet.
I understand the way you do it. but in my case as soon as I plug the second WAN link the internet stops working for the WAN1, am i missing something. do I have to create SDWAN first for the WANs? or set priority for second WAN? may be I am missing something. can you guide me.
Hello @user-sc4gn4uh9h
Thank you for supporting the channel, I appreciate your comments.
Basically, your Branch wan1 and wan2 interfaces (Underlay) must already be working.
If you have 2 tunnel interfaces (which will be your SDWAN underlay), they must also individually be working and capable of handling all branch traffic. That way, when you make them SDWAN members, they continue as normal.
I suggest you test it out in GNS3 to see where it could be failing. If you need some help, send me a zoom invite we could look at your GNS3 setup and get that working.
I would like to ask you, before establishing IPSEC, do you need to establish the default route to WAN first?
Hi ch
Yes, you must be able to reach the public address of the remote site
@@tebogomareka But I see that there is no ip of the opposite station in your ROUTE
To illustrate this point further, I’m going to publish a video on ADVPN and I will strongly highlight the role and requirement for internet connectivity.
@@ch-mg2us Hi ch
I want to make sure that I have answered you to your satisfaction. So I will do my best to explain in point form.
1. In my setup, the 2 sites have 2 individual internet connections....(very important)
2. Each of the sites can reach the other site via the "ISP".
3. Tunnel interfaces themselves do not have ip addresses, but please note the following 2 important facts, 1). a tunnel interface configuration does reference the WAN ip address of the remote firewall (which is reachable via ISP and therefore the default route) and 2). the tunnel interface configuration does specify the associated interface, which is a WAN interface on the local device.
site-to-site vpn tunnel interface does not need an ip address, only if you're going to use dynamic routing protocols. (I will demonstrate this in my next upcoming ADVPN video.
But for more on this topic, please have a look at this resource: docs.fortinet.com/document/fortigate/7.2.0/administration-guide/913287/basic-site-to-site-vpn-with-pre-shared-key
Hi, thx for the video, in our case we want to create 2 vpns to our DC. Branch locations have 2 ISPs, already in SD-WAN Zone, and we have 2 VPNs to DC Firewall but to the same destination IP from our DC Firewall. I want to put both VPNs in a separate SD-WAN zone on the Branch location only. Any experience with this kind of setup?
Hi Alin
This sounds like an interesting implementation. I want to lab it up to give you An answer based on first hand experience.
Please allow a couple of days for me to put it together, alternatively if you’ve already found a way, please let me know how you did it
@@staticroute first of all thx for taking the time to look into it. At the moment i configured 2 vpns to the DC, one via WAN1 and one via WAN2. Then i created static routes with different costs and also created SD-Wan Policy's to first route Traffic to DC via WAN1 and if WAN1 is down the will switch to WAN2 and the second VPN will take over. Of course Internet traffic is routed to SD- Wan Zone (loadbalaced) WAN1 and WAN2. The only issue is that when the VPN failover there is about 10 seconds timeout. And if WAN Interfaces are flapping then its "Hell on earth" :-) So that is why i want to put the VPNs also in SD-Wan
Hi, both tunnels are up and working as failover but when I am trying to create static route using SDWAN interface, it's giving me error that You cannot have duplicated routes on SD-WAN and non SD-WAN interfaces. I am using 6.4.9 version.
I think that's because you can only use the SDWAN interface for static routing SDWAN traffic only, not any other traffic.
Excellent video thanks. Could you please explain how we setup that cloud ISP4 and ISP 6 on eve-ng..?
The could setup doesn't actually matter. It was not the point to my video. However, I used OSPF as a dynamic routing protocol, you could do the same or use BGP
fortigate version is 7.0.3...
hi i production network i have one site only have public static ip in this scenario can i able to create ipsec tunnel between two sites and SD-wan interface/zone.
Hello there, yes of course.
First IPSec tunnel, then SD-WAN, a thing to remember though is that in order for sdwan to work, your tunnel interface must not be referrenced anywhere by policy.
@@staticroute for creating IP sec tunnel remote gateway IP can I give router interface IP which is connected in FortiGate wan port
@@shiyasshb Hello again, If I understand correctly, you want to know if you are required to give your IPSec tunnel an ip address... The short answer is No...in fact if you have only a single site, you also don't need ipsec.
Tell me how many sites are you trying to connect?
If you have atleast 2 sites, you can definately create an IPsec tunnel between the 2 sites but your tunnel interface doesn't require an ip address.
Let me ask:
Is it necessary to set IP tunnels for these VPN lines?
Thank you very much!
Site-to-site IPsec tunnel interface doesn’t require ip address, remote networks are explicitly reachable over statically defined path that uses tunnel interface as exit interface together with policy to allow it. You don’t need anything more.
thank u@@staticroute
@@staticroute Could you please explain when the IP addresses are required.
@@rjnasr8078when the tunnel interface has an ip address, typically used with dynamic routing protocols…I’m preparing g a video on that very topic…I hope it will help..
@@staticroute Yes, Thank you. I am trying to understand all this as I have a situation where there are a number or VPN site-to-site links and I need to add another backup 4G link for each site. So I am trying to work out how to do this. In fact some sites will have a Starlink connection for wan1 and 4G for Wan2. I can't seem to find any info or topology on this kind of setup. I'm still waiting on a 40F with inbuilt 4G to be delivered but also I am wondering if I can just use a 4G modem connected to the FortiGate. I thought this type of setup will be very popular ? If you have any idea how to do this that would be great. Thanks again.