In both sites you have disabled wan2. What will happen if you disable at first site the wan1 and at second site the wan2? Will you have still connectivity?
No, there will be no connectivity. This is because in the lab setup that was used in this tutorial, there was no end to end connectivity between wan1 and wan2 at different sites. If you want to have connectivity after disabling wan1 at one site and wan2 at the other site, then the remaining wan interfaces should have end to end connectivity. Thanks for watching.
a blackhole route is required to drop traffic intended to go through the VPN tunnel silently when the tunnel is down. this prevents the FortiGate from using any existing route such as a default route to send the traffic. the traffic will be dropped anyway, but the session will be kept in the route cache for period of time (default is 1 minute). thus, even when the tunnel it up again, traffic will continue to use a different outgoing interface instead of the VPN tunnel until the session-TTL expires.
Aggregate IPsec tunnel is just about redundancy. However, SDWAN gives you the ability to granularly set which links should pass which traffic based on the link quality (like jitter, packet loss, and delay). Also, you can even decide how much volume of traffic should pass on a particular link.
@@verifine-academy is it OK to config SD-WAN on customer side (2 WAN Lines which each one of them has 2 IPsec tunnels to Different Edge Datacenter FortiGate FW) and Aggregate IPsec on the Datacenter side (1 WAN Line with 2 IPsec tunnels to the branch)?
![[Fortigate] Redundant IPsec VPN with SD-WAN. SD-WAN IPsec tunnel](/img/n.gif)
Thanks for Sharing
thanks for sharing
great job thank you!
In both sites you have disabled wan2. What will happen if you disable at first site the wan1 and at second site the wan2? Will you have still connectivity?
No, there will be no connectivity. This is because in the lab setup that was used in this tutorial, there was no end to end connectivity between wan1 and wan2 at different sites. If you want to have connectivity after disabling wan1 at one site and wan2 at the other site, then the remaining wan interfaces should have end to end connectivity. Thanks for watching.
Hello, thanks for sharing
Why you created static route for black hole interface ?
a blackhole route is required to drop traffic intended to go through the VPN tunnel silently when the tunnel is down. this prevents the FortiGate from using any existing route such as a default route to send the traffic. the traffic will be dropped anyway, but the session will be kept in the route cache for period of time (default is 1 minute). thus, even when the tunnel it up again, traffic will continue to use a different outgoing interface instead of the VPN tunnel until the session-TTL expires.
what's the difference between SDwan VPN and ipsec aggregate?
I would like to know the difference too.
@verifine please elaborate on this. thank you
I have the same question. Very interesting.
Aggregate IPsec tunnel is just about redundancy. However, SDWAN gives you the ability to granularly set which links should pass which traffic based on the link quality (like jitter, packet loss, and delay). Also, you can even decide how much volume of traffic should pass on a particular link.
@@verifine-academy is it OK to config SD-WAN on customer side (2 WAN Lines which each one of them has 2 IPsec tunnels to Different Edge Datacenter FortiGate FW) and Aggregate IPsec on the Datacenter side (1 WAN Line with 2 IPsec tunnels to the branch)?
What's the difference between SDWan and aggregate tunnels?
Also, I have one tunnel up and one down at a time and it flaps between tunnels, now one is up and the other is down and then vice-versa.
make sure the underlay network for each VPN tunnel is independent of the other; that is, one should not be depending on the other to route traffic
Hi bro,
Did IPSec failover is working with different devices? like HQ as PA firewall and branch as Fotigate? Is is work like in this video bro.
No, this is a feature for FortiGate firewalls
Not working properly when Branch is a dial up user.
Aggregate IPsec tunnels are for site-to-site IPsec VPN tunnels.