- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: SD-WAN IPSec Main Backup tunnels with Dynamic ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN IPSec Main Backup tunnels with Dynamic Public IPs at Branches
Hi All,
Can I leverage SD-WAN with dynamic IP Primary and Backup (LTE) Internet circuits at branch offices to establish tunnels to two circuits (again SD-WAN) at HQ (both with have Static Public IP at this end)? Thanks so much.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes, this can be achieved and an example is shown here.
Since the HQ has static IP addresses, you can configure it as a dialup server and the branch as a dialup client ,
geek
geek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your prompt help. I did look at this link last night but it is not the scenario that I am looking for. The branch has two ISPs (one primary DSL and backup LTE) and both are dynamic. The diagram on the link shows single ISP at branch and it has static IP.
Created on 04-25-2024 05:35 AM Edited on 04-25-2024 05:36 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a similar config for the other link, similar cu what is described in the document.
Also, from my experience in order to avoid complex tshoot, I personally prefer to create 1:1 IPsec tunnels, meaning Branch ISP1 <> HQ ISP1 and Branch ISP2 <> HQ ISP2 .
smth that I used in my lab for the Hub as a dialup server ( you can ignore de autodiscovery settings that I used for ADVPN :(
config vpn ipsec phase1-interface
edit "Overlay_P1"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set add-route disable
set localid "LAB-WAN1"
set dpd on-idle
set auto-discovery-sender enable
set nattraversal disable
set network-overlay enable
set network-id 1
set dpd-retryinterval 60
next
edit "Overlay_P2"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set add-route disable
set localid "LAB-WAN2"
set dpd on-idle
set auto-discovery-sender enable
set nattraversal disable
set network-overlay enable
set network-id 2
set dpd-retryinterval 60
next
end
geek
geek
Created on 04-25-2024 05:44 AM Edited on 04-25-2024 05:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and below is from one of my branches.
again, please note that the PSK is missing and you can ignore the ADVPN config.
config vpn ipsec phase1-interface
edit "Overlay_P1"
set interface "port1"
set ike-version 2
set peertype any
set net-device enable
set proposal aes128-sha256
set add-route disable
set localid "B1-WAN1"
set dpd on-idle
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set nattraversal disable
set network-overlay enable
set network-id 1
set remote-gw WAN1
next
edit "Overlay_P2"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal aes128-sha256
set add-route disable
set localid "B1-WAN2"
set dpd on-idle
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set nattraversal disable
set network-overlay enable
set network-id 2
set remote-gw WAN2
next
end
geek
geek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appreciate again. The requirements are bit complex. The branch side has Cellular LTE connection only to be used when primary DSL is down. So, I cannot have nailed down 2 tunnels from one-to-one circuit. I can use Main backup feature where backup tunnel will get created when monitored status of primary is down. I have to study on the ADVPN topic to see if that will make sense. Also, tunnel from branch should be able to failover to second HQ ISP also if main ISP circuit at HQ fails. I guess I can use SDWAN feature at the HQ site and then use main-backup tunnel monitored feature at the branch site. Now need to determine what remote GW IP to use at branch to get to two ISPs based SDWAN end at HQ.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I can create two Phase 1 VPN confgs at branches to specify two separate remote GW IPs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can, and since both endpoint are FortiGates you can configure the phase2 selectors are 0.0.0.0/0 for remote and local and control everything from static routes and firewall policies.
You can have 2 static routes for the same remote subnet on both devices, one using the ISP1 IPsec tunnel with a lower AD and the 2nd having ISP2 IPsec with a higher AD in the routing table.
geek
geek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For branch, under Config vpn ipsec phase1-interface, I find that I can specify two tunnels, one primary and second monitored backup and each can have their own remote gateway. The gateway command (set remote-gw) only takes one IP. I was hoping It will support two, so that first one is main and second one is backup. Worst case, I can have first tunnel (primary-backup) from branches, to main ISP at HQ and second tunnel from branches from DSL to second ISP at HQ. The chances of main ISP to go down and at the same time DSL at branch to also go down are rare.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I was refering to the fact that you can create 2 separate IPsec tunnel on the brach, each with the remote ip of the HQ WAN/ISP interface.
When the ISP1 interface will go down, the tunnel will also go down and traffic should be steered using the ISP2 interface and IPsec tunnel when that happens, assuming that you have the correct entried in the routing table.
geek
geek
Related Posts
- SD-WAN IPSec Main Backup tunnels with... 296 Views
- FortiGate GRE Tunnel with Dynamically obtain... 165 Views
- FortiMangaer and FGT Hub migration issues... 185 Views
- Dial-up IPsec tunnels with same source... 970 Views
- FGSP Dynamic Tunnel VPN in SD-WAN 265 Views
Labels
-
FortiGate
6,752 -
FortiClient
1,343 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
85 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.