5. Adding an IPSec VPN tunnel to SD-WAN for MPLS Failover
ฝัง
- เผยแพร่เมื่อ 28 มิ.ย. 2024
- I finally got it to work! In this video we add an IPSec VPN tunnel to the SD-WAN and use it for MPLS Failover!
Its long and kinda all over the place so I apologize! Also, this will be the last video I do for a bit but I promise to keep adding to this topology so we can test out SD-WAN rules and also including the branch office. - วิทยาศาสตร์และเทคโนโลยี
![แฟนแนวใด๋ - ยูริ โตเกียวมิวสิค [OFFICIAL MUSIC VIDEO ]](http://i.ytimg.com/vi/4_XVMuhhbsU/mqdefault.jpg)
Dude why did you stopped these videos!!!
You are an awesome instructor
Thank you where ever you are ❤
Excellent video demonstrating SDWAN IPSec integration. Really enjoyed your sense of humour too. Thanks for sharing.
Good job Devin! This is an awesome video! Thank you for making this tutorial!
Your videos are awesome! Great job!
Thanks Devin for this video... Though i know its challenging but i am certain through the video that you gonna do this
Thank you for video. It was useful and fun :-)
Great videos. ! Keep it up !
They are definitely far from great but thank you! I mentioned several times I'm not a TH-camr and it really shows when I wing these videos. But I make them public just in case someone else will find some value out of them. Regardless thanks for the encouragement!
Thank you trully that helped a lot.
I tried this setup in my GNS lab and can see that you dont need a firewall policy that allows traffic from the MPLS and VPN interface to the remote server IP.
for eg. if you add DC Fortigate inside IP or a server present on the LAN side of DC as target IP on performance SLA on HQ Fortigate, then on HQ Fortigate, you dont need to explicitly create a policy that allows this traffic, because this traffic originates from the outside interfaces. You only need to create a policy to allow this traffic on the DC Fortigate to allow it to reach the LAN as you have shown. Great videos btw.
Thanks VERY MUCH for this video series, as the official Fortinet video is not very helpful at all! I've got a similar scenario to this in real life, so will hopefully get it going soon, and make my client happy... Appreciate your work in putting this together.
I've been lab'ing this exact scenario from my home network using a 200D, 100E, and 60E. But I'm trying to use OSPF for all of the routing, including over IPsec. It gets really confusing which interfaces need gateway's in the SDWAN interfaces, since I'm getting all of the info from OSPF.... And you're correct, I think there's a TON of functionality, but Fortinet's documentation sucks horribly. They "demo" the easiest scenarios, and have basically nothing for more complex scenarios. Edit: and I've been doing Fortigate stuff as a reseller for 10+ years. I basically have to figure out everything on my own.
How are you getting the Fortigate images to import into GNS 3? I know that getting images for Cisco devices is pretty hard, unless you work for Cisco or a re-seller. Same thing with Palo Alto
Did you have to add another static route pointing to the DC subnet before testing the failover from HQ at the 27:37 mark? Thanks for sharing these videos, they have been incredibly helpful to me.
Maybe? I know that's a bad answer but I can't remember off the top of my head. I think the SDWAN might do it for you but I always do it out of habit due to Reverse Path Forwarding.
Hi Devin, another excellent video. I have a question the feature of VPN location map works ? because I select that and an issue appears: ¨unable to load VPN at this time¨ maybe do yo know the reason or this feature isn´t available on vm-trial version
Yeah I think the trial vm's might have too low of a crypto to even load up Google maps. Also it doesn't matter because in our lab environment we're using fake public IP addresses (by using private ones of course) therefore they never show up on the map. It uses the geodatabase for the location which isn't even updated in the trial.
Nice man!!
Let me know..
It's possible navigate to the internet from BO to HQ from if IPSec or MPLS going down?
If yes, witch configuration must be done in addition to the existents?
Thanks for this video man. You could've cloned reverse for that rule :P
In this scenario with SD-WAN for both Internet and IPSec to HQ, can we load-balance the HQ to DC traffic as well? Not just to have active-backup scenario when MPLS is degraded go to IPSec.
HEY guy! Can I combine 4 WAN in to the fortigate firewall ?
thanks for sharing the video, I have a query, to avoid interacting with the internet sd-wan, could I create an sd-wan for mpls? And lastly, there would be another way to switch to VPN without using SD-WAN.
Hi Devin, I've done this setup and it's great! but there is a thing which I can't do, I've created a guests network, and set it to go through the sdwan interface, then the intertent is accessed via the vpn tunnel instead of going straight to the wans, do you know how I can achieve it?
I am glad that you got it up and running! If you check out my playlist, fortigate 6.2 demos, I recorded a video in there that explains this very problem and how to fix it. Basically the problem is when you add the VPN tunnels into the sdwan, they are included in the implicit load balancing rule at the bottom of the sdwan rules. You have to write the rules to catch the networks you don't want going through the VPN tunnels before it gets the bottom. The videos in that playlist demos this. I hope that helps and good luck!
@@DevinAdams Thank you, I appreciate that very much
I still cant establish vpn connection sir, did you add some configuration on the centos side?
previously I used a c7200 router as a wan, then I replaced it with centos7
Nope, the centos is just routing. Check the log files and see why the VPN isn't establishing. If no logs, use "diagnose debug application ike 63" and make sure packets are getting there.
solved, thanks
I added this configuration on centos (WAN)
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
how you achieved this without create any route?
mpls, used static routes in hq and dc firewall.
ipsec didnt see any routing configured?
ie if mpls is.down how come the hq firewall knows the datacenter subnet?
you add the ipsec interface in SDWAN zone. you specify the remote ipsec interface IP as next hop, this is added as default route. then you create a sdwan rule to send LAN to LAN traffic through the VPN/MPLS interface. so the firewall knows how to route the traffic. hope I was able to answer your question.
Heey Devin thanks for sharing we love it. please can you help me ? i can't ping from pc4 of DC to pc1 of HQ. help me
bhai pahle so hi late phir videos banate ...