FortiGate IPsec ADVPN with SDWAN and Dual ISPs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to our tutorial on setting up an ipsec auto Discovery VPN with two isps using bgpe as the overlay routing protocol as you can see on the diagram there are three sites HQ and two Branch offices the auto Discovery VPN uses Hub and spoke Network topology thus we will configure HQ as the auto Discovery VPN Hub and the two branches as spokes the advantage of using Auto Discovery VPN is to ensure that spoke to spoke traffic does not always Traverse The Hub Dynamic VPN tunnels are created on demand between spokes prefixes across sites will be learned via bgp also we will be using sd1 to choose the best Link in terms of latency over the two ISP connections at each location I will be providing explanation to the configurations as we move along so let's begin I have already verified network connectivity between Hub and spokes we will start with the configuration on the Hub create a new sd-wan Zone which will be used specifically for ipsec tunnels then create sd-wan members for this Zone instead of creating the ipsec VPN tunnels and adding them as Zone members we can easily create them from here enter the name of the VPN via isp1 and enter the remote Gateway IP for now use any dummy IP as Gateway IP since it will soon be removed enter the pre-shared key add the second VPN via isp2 also a Zone member now let's customize our two ipsec VPN tunnels for remote Gateway choose dial up user this will allow the Hub to form ipsec tunnels with multiple spokes disable add root this ensures that Ike does not automatically add a root when the dynamic tunnel is negotiated routing will be accomplished via bgp enable auto Discovery Center with this setting when ipsec traffic transits The Hub it will send a shortcut offer to the spoke that initiated the traffic to indicate that it could perhaps establish a more direct connection set the other phase 1 and Phase 2 parameters according to your requirements I will leave them at their defaults The Phase 2 local and remote addresses on the Hub should be set to all we are done with the ipsec tunnel configuration on the Hub firewall policies are next two firewall policies are needed one policy to allow spoke to HUB traffic and another to allow spoke to spoke traffic in the spoke to HUB rule choose all for the source address and disable Nat but in the spoke to spoke rule the source and destination interfaces should be the sd1 Zone we created and select all for the source and destination addresses again disable Nat let's assign an IP address to the two tunnel interfaces this will be used by the overlay routing protocol the remote IP should be an unused IP address in the overlay subnet for isp1 the overlay subnet is 10.00.00.0 24 in the overlay subnet for isp2 is 10.200.200.0 24. for routing we will configure two separate ibgp between the Hub and Spokes and the Hub will be configured as a root reflector one ibgp for each overlay Network then advertise the Land network of 10.0.0.0 24 to the spokes via bgp let's turn our attention to the spokes we will return to the hub again on spoke 1 create an sd-wan Zone and add two member tunnel interfaces in customizing the VPN tunnels disable add root and enable auto Discovery receiver with this setting the spoke indicates that it wishes to participate in an auto Discovery VPN or wants to receive a shortcut offer set the other phase 1 and Phase 2 parameters to match those on the Hub you may enable auto negotiation initiate create two firewall rules on the spoke one for inbound and the other for outbound for inbound traffic choose all for the source address then for outbound traffic select all for the destination address disable Nat in all firewall policies let's assign IP addresses to the two tunnel interfaces I will quickly repeat the same thing also on spoke too for routing we will configure two separate ibgp between the Hub and spokes an ibgp for each overlay Network the remote As number should be the same as that on the Hub and the bgp neighbor IPS should be the tunnel IP addresses on the Hub then advertise the Lan networks via bgp I will set the bgp routes advertisement interval to one second on the spokes next is sd-wan but before let's check the state of the auto Discovery vpns and bgp neighborship on the Hub everything looks good so far we will begin the sd-wan configuration by creating two performance slas to check network connectivity to the local area networks of the spokes over ipsec VPN tunnels using the Ping protocol it is imperative that these ping slas are sourced from an IP address in the Lan subnet of the Hub this Source IP can only be configured in CLI next let's configure two sd-wan rules one for each spoke make sure the selected measured SLA matches the right spoke we will repeat the same thing on the two spokes too pay close attention to the server IPs used for the performance slas on the spokes again pay attention to the source and destination addresses used in the sd-wan rules on the spokes now we are done but do you see that only one performance SLA is working do you know why well it is because equal cost multipath routing is not enabled for sd-wan and bgp so let's enable ecmp on all nodes for sd-wan load balancing algorithm we will change if from the default value of source IP based to weighted-based by default fortigate supports a maximum of 255 equal cost multipath routes I want to change it to only four at least for the sake of demonstration then finally let's enable equal cost multipath for ibgp we should Now find both performance slas at each location working hence the Hub or the spokes can check the quality of the two isps in our case check the latency and pass traffic based on which ISP route has lesser latency since the sd-wan performance SLA pings are up it means there is end-to-end connectivity over the vpns because of the auto Discovery VPN configuration on the Hub and spokes traffic between spokes will not Traverse The Hub great we have created ipsec Auto Discovery vpns between three locations with sd-wan where each location had dual isps thanks for watching our tutorial if you have any questions or need further assistance please feel free to leave a comment below don't forget to subscribe to our channel for more helpful tutorials see you next time
Info
Channel: Verifine Academy
Views: 19,197
Rating: undefined out of 5
Keywords: FortiGate, IPsec VPN, FortiGate IPsec, FortiGate IPsec Loopback, IPsec with Loopback Interface, Site-to-Site IPsec Loopback Interface, FortiGate Site-to-Site VPN, FortiGate IPsec VPN, Site-to-Site VPN with Loopback, IPsec VPN with Loopback
Id: zkaDwPqZU_k
Channel Id: undefined
Length: 25min 49sec (1549 seconds)
Published: Sat Jul 15 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.