welcome back to Static Route. I'm your host, this is Tebogo speaking and today we are going to configure site-to-site ipsec vpn tunnels. We have 2 offices each in a different city or a different country or even a different continent for that matter, and each of these has an internet service provider. we are connecting from Fortigate-2 to the internet via Internet Service Provider-4 and Internet Service Provider-6 and the same for Fortigate-10 in another location and it doesn't really matter who the ISP is. But we have two links at each location so what we're trying to do is have PC01 talk to webserver-01 and for us to do that there's three things that we need to do. firstly, we need to create a virtual interface. We need to create a tunnel that is going to connect PC01 to web-one and that interface is going to of course exist on our Fortigate firewalls. We then need to specify which subnets need to communicate, so in this case our source would be LAN10 and our destination would be LAN 20 and in the reverse direction of course our source will be LAN20 and our destination would be LAN10. Then we need a firewall policy that's going to say for this traffic with this source in this destination the action is permit. So without wasting any more time we're going to connect to PC01 and verify the ip address and also verify that we can not ping to LAN20 where web-01 resides that's our PC01 our ip address is 10.10.10.100 and i'm going to close this on a webserver. The ip address is 20.20.20.100 and, can we ping to 10.10.10.100 ? no we can't! So we don't have reachability but what we do have, what we are going to do for starters is, this is this is the webserver, so we are going to start on on our Fortigate-10 and create our ipsec tunnel towards LAN 10. and the ip address there is 20.20. 20. 10 that's the ip address of Fortigate on port 4. okay so like we said the first step is to create the ipsec interface itself. So we go to ipsec tunnels, create a new one, this we're going to call tunnel zero one. so the remote gateway in this case is going to be the Fortigate Fortigate-2, "port 1" interface, which is 172.16.12 dot 2 172.16. 12 dot 2. and our outbound interface is port 2. so this is ipsec, we are not going to be doing any "NATing" and all these settings we're going to leave the way they are. Things like FEC, we're not going to make any changes, there. our pre-shared key, this has to match on both ends and phase-one proposal. i'm going to choose these three Diffe-Helman Groups and phase-two selectors here we have to specify our LAN local address that's 20.20.20.0/24 and the remote subnet is 10.10.10.0/24 and the proposal SHA256 and SHA512 I'm only going to work with those two and for this one i'm going to select those and then i'm going to say negotiate "yes". okay the first step is done, we've created the tunnel interface now we want to specify our destination to say for traffic destined for this destination your exit interface is this interface we just created, so that means now we need to connect we need to create our static route and say 10.10.10. 0 slash 24 is our destination and our exit interface is going to be tunnel interface zero one. Here i'm not going to modify anything either so now we've got um we've got our tunnel interface we've got our static route we know how to get to our destination but we don't have firewall policy that permits this traffic. I'm going to call it "tunnel-01 Out" and our source interface where the traffic is going to originate as "port 4" and our egress interface is "tunnel-01" source LAN20. is LAN10. I'm only going to allow ICMP in this case and once again no NAT, so this takes care of the outbound traffic towards this side Fortigate-2. Now I want to do the same for inbound traffic in case there's an inbound traffic originating from LAN10 to where we are at web-01. So for us to do that we need to create another rule. we call this one "Inbound" of course it's going to come in through "tunnel-01" interface and our exit interface to reach the webserver's "port 4" and the source is LAN10 and our destination would be our Local Area Network LAN20 the service ICMP so [Music] as far as this site is concerned our tunnel interface is configured, the path is configured, and the rules are configured. That means we're done with this side. Now let's go down to Fortigate-2 10.10.10.100 ping 20.20.20. 100 no path! Again we're going to create a tunnel interface and name it exactly the same. It's not necessary to name it the same but i'm going to name it the same just for simplicity. the two the first thing we do is to create the vpn interface so we go down to vpn, ipsec tunnel, and create new. On this side i'm going to call it "Tunnel-01" as well we choose custom option, we want basically everything to be manually created. so from the viewpoint of Fortigate-2 we are connecting to "port 2" which is 172.16.15.0 172.16.15. the last octet would be 10 after the hostname and we are going out via "port 1" from our Fortigate firewall on the side i just need to re-resize the screen. okay we disable NAT. we don't change any of the parameters the key Pre-shared key has to be the same same as the one we typed on Fortigate-10 SHA256, SHA512 the rest are removed this is phase-1 our local subnet is 10.10.10.0/24 and the remote subnet is 20.20.20. 0 24 I think that is that is it as far as phase-2 settings are concerned. Now once again after creating the tunnel interface we need to use that interface. And how do we use this interface? We basically tell our firewall to get to the destination use this interface and in this case our destination is 20.20.20.0 slash 24. we use "tunnel-01" interface as our exit interface. Now we need to permit that traffic "tunnel-01" this is for all the outbound traffic so our inbound incoming interface is "port 4" where LAN10 resides, exit interface is "tunnel-01". Our source is of course LAN10 as local area subnet where PC01 resides. and our destination is LAN20 where web01 resides. we're only interested in allowing ICMP traffic between these two hosts so we only allow ICMP and the policy is created so now at the same time I want to create the inbound rule so that it doesn't matter which side initiates traffic as long as it's traffic between these two subnets i want a full bi-directional um for the traffic to flow bi-directionally we call this one "inbound" and of course the inbound interface will be the tunnel interface the outbound interface "port 4". the source can only be LAN20 and the destination is of course our lan service is always ICMP and that is that so now we need to have a look at our vpn interfaces to see has our vpn interface come up. And indeed it has, so our third interface is up now we need to verify that we do have a reachability so remember this is PC01 let's test the reachability to 20. 20.20.100 which is we know we know this to be the web-server's ip address and there we do have reachability and also we can initiate traffic from the other side. let's do that ping again, and now we have full reachability. okay so now our vpn tunnel is traversing Fortigate-2 over "port 1" over the internet into "port 2" of Fortigate-10" to reach the final destination. but we also want to create a secondary tunnel using the secondary link so that we have you know dual vpn tunnels going from side to side so that if one side one link is dead then we still do have another ipsec tunnel that we can fail over to and start using in you know in the case of a link failure with the primary tunnel so now basically what we're going to do is going to be exactly a repetition of what we just did now so now we're back on pc01 let's create a new ipsec tunnel, this we're going to call tunnel02 and our destination is 172.16. 25.10 172.16.25. 10 172.16.25.10 and our outbound interface is, yes Port 2 remember we're not doing any NAT. Here we'll type our pre-shared key that takes care of phase-1 we're not going to configure X-Auth settings, those are optional and our LAN is 10.10.10.0 slash 24 and our destination is 20.20.20.0 slash 24 and for our phase-2 settings. That takes care of that. SHA256 and SHA512 so again we need to create a static route to our destination which is 20.20.20.0 slash 24. we're saying we want to use this tunnel interface we just created tunnel-02 [Music] and let's create policy for that. our incoming interface is "port 4" outgoing interface tunnel-2 our source, destination, LAN20 and once again we're only allowing ICMP nothing fancy. so this basically takes care of our outbound traffic. so let's create another rule for inbound traffic. the inbound interface is going to be our tunnel-02 interface. traffic is going to exit out "port 4". it's going to be coming from LAN20 and going into LAN10 it's ICMP traffic that we're expecting to see that we're going to permit so that takes care of our inbound and outbound traffic on our vpn interface and we've got a static route that says um for you, for us to use the secondary link we want to encrypt the traffic we want to secure the traffic over our secondary link, port 2 so we're creating a tunnel interface over there and this is to permit, the static route is to basically point the firewall in the right direction, the correct exit interface, and of course the destination. And as far as this is concerned we are done on firewall fortigate-2. Now let's get to fortigate-10 and do a similar config. remember the first step is to create your tunnel interface. like i said this is pretty much a repetition tunnel-02 we're going custom settings, and from this firewalls viewpoint our destination is 172.16.22. 2 172.16.22. dot 2, which is port-2's interface on fortigate-2 but our exit interface is port-1. As we can see we disable NAT. We don't want any of this traffic to be NATted for phase-1 i'm always going to choose the same Diffe-Helman groups 32, 21, and 15 just for this lab. And of course our source is 20.20.20.0 24 with a destination of 10.10.10.0 slash 24. so our phase-2 proposal and phase-2 settings are hidden so don't forget to to activate or to rather configure your phase-2 settings because if you don't phase-1 will come up but your tunnel will stay down. and therefore you will troubleshoot all day long. okay the tunnel interface is configured. Let's create our static route. our destination of course is 10.10.10.0/24 our exit interface is tunnel-2 and now let's permit this traffic we're going to start once again with tunnel-02 , outbound . egress tunnel-02, source LAN20 destination LAN10 ICMP protocol and we create a rule for inbound we call it tunnel-02 inbound basically allowing LAN10 to initiate connection so our firewall policy is also in place now let's go back and have a look at our ipsec tunnels. so it looks like both of them are up now we need to test. I guess the simplest way to test this is to go to interfaces and while we're doing a continuous ping to our favorite destination being 10.10.10. 100 so we do have reachability, there i'm going to shut down our first tunnel i'm going to disable this and then see what happens. there was a bit of a pause so that means the traffic is now going over the second ipsec tunnel and you can see if i shut that if i shut it down tunnel-02 as well as well the traffic stops and if i bring up say tunnel 02 this will take a moment but it will come up. disable this one and enable this one and just wait for a moment. so basically this proves that both ipsec tunnels are up and running they're working as expected. now the most elegant solution that i've actually ever worked on is sd-wan. now that you've got these two ipsec interfaces we can now create an sd-wan interface and we do that by first, actually let's first create a custom zone, let's create a zone for ourselves and call this WAN 01 or rather simply SDWAN and let's give this interface a couple of members so this will be, oh here's a problem if you create an sd-wan interface we know that we've got two ipsec tunnels and we know that we can use ipsec tunnels as member interfaces for sd-wan but the problem is right now our interfaces have policy associated with them. so now we first need to free them up so we need to delete this policy all of it. and then go back to sd-wan and then give it a couple of members so now when you look you'll see that tunnel-01 our tunnel-01 is there let's make it part of sd-wan and let's see actually we don't really need to we've got tunnel zero one let's add tunnel-02 to our sd-wan zone and just like that you can see that we've got now two member interfaces tunne- 1 and tunnel-2. so i do like to [Music] set, i think we can do that from here our load-balancing algorithm to say how the firewall should use the two links to share the traffic from from us to our destination measured-volume-based and that's it. that's all i wanted to configure there so um our sd-wan interface is configured now we need to create policy to say when traffic comes in destined for any location any destination but in this case it's of course LAN10 we want that traffic to go over the sd-wan interface so we do that by allowing it on the firewall policy now but first, we need to create a route that says to 10.10.10.0/24 now your exit interface is going to be the sd-wan interface then we create a firewall rule. let's start with outbound our source interface will be port-4 our outgoing interface will be sd-wan [Music] and of course as always our source is our LAN20 and our destination is LAN10 service maybe not all services just ICMP no NAT so we've created our sd-wan interface, we've created a static route, and we've created policy to allow traffic to go over our SDWAN interface and we've even set the load-balancing on the sd-wan interface, now we need to do the same on fortigate2 we need to free up first our policy so that the interfaces can be available to us to use for sd-wan and we create our zone we call that again SDWAN and give it a couple of members that's tunnel-1 to sd-wan and tunnel-2 to sd-wan and once again i'll load balancing measured-volume-based and now we're going to create our static route. say if you want to go to web-01 subnet 20.20.20.0 /24 your exit interface is SDWAN. and now we need firewall policy to permit that because now you'll notice that because we don't have policy anymore the traffic is all about stopped. and this is the wrong Fortigate. there's no policy here. i'm just going to close this for a bit SDWAN out our source is port-4 our destination is sd-wan traffic is coming from LAN10 and it's going to LAN20. and the type of traffic is only ICMP. okay and now let's see if we have reachability. no we don't have reachability let me see if we've got our static routes. yes we do, okay i'm gonna have to create the inbound rule SD WAN inbound incoming interface would be our sd-wan and exit interface would be port-4. our source can only be LAN10 and our destination of course would be our LAN20, subnet, service, ALL-ICMP this is on fortigate-10 now i need to do the same on fortigate-2 [Music] from LAN20 to our LAN10 as destination only ICMP okay so we do have reachability, one thing i didn't actually remember here when we created the first rule for outbound it's okay the traffic can egress out SDWAN interface the one interface meaning you know out of the two tunnel interfaces as member interfaces of the sd-wan interface but if we don't have inbound rule on the destination side the traffic will be dropped at the point of ingress and if we don't have the same rule in reverse in fortigate-2 the traffic coming from web-01 will get dropped on the sd-wan interface at ingress point. so that's why it didn't work. and so now as you can see we are coming from LAN10 PC01 and we are Pinging 20.20.20.100 so what i want to do is, while this is going i want to shut down one of the tunnel interfaces it is seamless unlike with vpn tunnels there's no noticeable drop in [Music] in our traffic so i believe this concludes this session so in this lab we built ipsec site-to-site ipsec tunnels and we used those ipsec tunnels as member interfaces for sd-wan and we have achieved reachability from site-2 to site 10 LAN10 to LAN20. And i hope that you have taken something away from this and i'd like to thank you for viewing and hopefully i'll see you in the next video cheers