FortiGate SDWAN with IPsec VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you are welcome to this tutorial we are going to demonstrate how to configure sd-wan between two locations that are connected by dual ipsec VPN tunnels you can see from the network topology that both locations have two isps we are going to configure sd-wan to make use of two ipsec VPN tunnels between site a and site B each ipsec tunnel uses a different ISP connection sd-wan provides granular visibility into Network traffic and analyzes traffic data as a result organizations can securely exchange data across multiple locations with improved performance reliability and scalability let's get started I will provide explanations to some configurations as we move along we will start the configuration on fortigate a first ping the two remote Gateway IPS at site B to test connectivity we will begin with the creation of an sd-wan Zone which will be used specifically for ipsec tunnels next create SD Wan members for the Zone instead of creating the ipsec VPN tunnels and adding them as Zone members we can easily create them from here enter name of the VPN via isp1 enter the remote Gateway IP and the pre-shared key select the sd-wan zone that we created add the second VPN via isp2 also as Zone member fortigate assigned default settings to the two vpns created so let's customize the VPN tunnels according to our requirements for the phase 2 selectors I will change the local and remote addresses from all all to their specific local and remote Networks you may choose to enable auto negotiate customize the other tunnel too next create a static route to Route traffic to the local area network behind fortigate B we will choose the sd-wan zone as the outgoing interface you can however select the two VPN tunnel interfaces instead add a black hole route the purpose of the black hole route is to ensure that when the ipsec tunnel is down traffic to the remote end is silently dropped instead of using a default route on the fortigate then firewall policies configured two firewall policies to allow traffic between sites A and B over the ipsec VPN tunnel in both directions disable net in the firewall policies now we turn our attention to sd-wan rules we will first create an sd-wan performance SLA a performance SLA checks for network reachability and provides metrics on the quality of the path we will use the Ping protocol for rsla in the servers box enter the IP address of the host or network device you want to Ping this IP must be part of the encryption domain that is it must be an IP in the phase 2 selector's remote address subnet in our case we are using the Gateway IP of the local area network configured on fortigate B since we want to Ping the SLA server simultaneously via the two VPN tunnels select both as SLA participants but one important thing is we need to Source this SLA ping over the VPN tunnels from the local area network behind fortigate A2 this Source IP should be part of the encryption domain for the vpns we can only do this in CLI under the sd1 Zone member VPN interfaces finally sd-wan rules provide a descriptive name for the rule and select source and destination addresses for outgoing interface strategy we will use best quality for best quality sd-wan will consider either latency Jitter or packet loss to choose which of the two VPN tunnel interfaces to use for outgoing traffic to the remote end for measured SLA choose the performance SLA we configured it will be used as the reference we want to use latency as the quality criteria let's quickly repeat the same thing on fortigate B now that we are done with the configurations let's bring up the VPN tunnels if not up already we can confirm connectivity via the ipsec VPN tunnels even by looking at the performance slas they're up and you can see the latency Jitter and packet loss for each of the VPN tunnels finally let's check some sd-wan details from the CLI click on the sd-wan rules tab the VPN tunnel the isp1 is currently the preferred link it has a lower latency to the remote end congratulations we have successfully configured sd-wan between two locations using ipsec tunnels thanks for watching our tutorial if you have any questions or need further assistance please feel free to leave a comment below don't forget to subscribe to our channel for more helpful tutorials see you next time

Info

Channel: Verifine Academy

Views: 9,237

Rating: undefined out of 5

Keywords: FortiGate, IPsec VPN, FortiGate IPsec, FortiGate IPsec Loopback, IPsec with Loopback Interface, Site-to-Site IPsec Loopback Interface, FortiGate Site-to-Site VPN, FortiGate IPsec VPN, Site-to-Site VPN with Loopback, IPsec VPN with Loopback

Id: mIxKCBprgjs

Channel Id: undefined

Length: 15min 10sec (910 seconds)

Published: Fri May 12 2023