Hi Ericli,

Yes, I have two tunnels for each WAN link (one to the primary remote FW and the other one for the backup remote FW and as i need to use SDWAN, it makes me four tunnels). In your topology, for the four IPsec tunnels, the remote subnet is the same 10.0.0.0/8. And I do not have other traffic which should go on a VPN tunnel ( I do not have 11.0.0.0/8 for example). All traffic which does not match 10.0.0.0/8 are considered as normal traffic and goes through Internet interfaces (WAN1 and WAN2).

Thomas_AA wrote:

Yes, I have two tunnels for each WAN link (one to the primary remote FW and the other one for the backup remote FW and as i need to use SDWAN, it makes me four tunnels).

Hi Thomas,

Thanks for reply.

So on each wan link, you need to configure 2 tunnels, and these 2 tunnels are going to 2 different remote firewalls? Am I right?

Eric

Hi Eric,

Yes exactly, you are right. But on the two remote firewalls (one is primary, the other one backup), i have the same subnet (10.0.0.0/8).

Thomas

Hi Thomas, if so, I wonder how you configure your routing on the branch firewall? For subnet 10.0.0.0/8, which interface should the packet send out from?

Hi Eric,

Well, this is the aim of my post :) In my first post, i wrote :

" The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have active-active links for VPN IPsec trafic. But with the SDWAN feature, maybe there is a subtility which can make this possible :)"

For me, with my Fortinet knowledge, this is not possible but i was expecting that with SDWAN feature, it was possible.

Hi Eric,

Do you have a feedback for me ? Can you confirm that it is possible or not please ? :)

Thanks,

Thomas

Hi Thomas, Sorry for late reply. I've been working on other projects these days. Yes, the answer is yes, it's doable. Now it's like this.       (port33 10.1.100.125/24)          (10.1.100.165/24 internal1)      FGT-A<                            ISP                                  >  FGT-B       (port34 172.16.200.125/24)        (172.16.200.165/24 internal2)              1. Configure 2 route-based ipsec vpn tunnel on this two links:

FGT-A:

FGT2KE3916900014 # sh vpn ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "20-1"
        set interface "port33"
        set peertype any
        set proposal aes128-sha1
        set remote-gw 10.1.100.165
        set psksecret ENC PdgvsxmwUXSpLgbh01QwJLXveno5TG6kHfTDuudEyLh9XDFQ0uGvLFib3e/Osv8kVH4FebQJSRLij5X5nUCsSXwiDpzg176fUp+GFGv2q+L9oR55eYClOBgwTcfb1WaFekbOAuWCv6wwPrmRqmFBYcnTle8OnqHAzWdbP1Y9W4SYXMmz5L3ZSeg4nJ1YG9Lj5pafFg==
    next
    edit "30-1"
        set interface "port34"
        set peertype any
        set proposal aes128-sha1
        set remote-gw 172.16.200.165
        set psksecret ENC HpHW9i1GcNxStnOVgxERVrLWC0DbwCixKXJ4W8zFYijQQajBZBkPkQxL0c6yz2CfCfzAht/plKd84apTTlRdRqPhpBaCEQC78Blai004c9D2DC83YFNzY92wemt6cuVzIYDLEE1DpVftIBM/6GmWjsaEgUP4BudsTyLyrAs+DK/zpEOEJXeT/G5bHlVuk3CzoM0lGQ==
    next
end

FW60EJTK18000005 # sh vpn ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "20-1"
        set interface "internal1"
        set peertype any
        set proposal aes128-sha1
        set remote-gw 10.1.100.125
        set psksecret ENC gOhBODotKU5i/v+oppOQHBG00RJvdXfpkHHxx8bTpn01KVREgXbvWHtjVYw3pcTake75d/ONebp8I2LXmG6kN+p3OgsPBmQQrXYWuDDCv2exN8WWGuzMRfLqY+dCCHBnbGyI1q4ZKfZ/SvHrVg6vK1wQazBCaANynKyC3QAiM847ie50D+BuwMxA2mBqx0l7eHWoPA==
    next
    edit "30-1"
        set interface "internal2"
        set peertype any
        set proposal aes128-sha1
        set remote-gw 172.16.200.125
        set psksecret ENC Y9pM8HkYoxmxvPG9nvVgiVFff88lxWHAHFlbzK3TcSb/g6NQDN+jJNg0X0LbjbbQufvsBpYj48sW2uoJZiqNLNQAD0e5YOb46+GJCSzQT8kDDERUmtFQi7bFion3hHCDK63lVzYq3Bp8WUbO4U1Vikt2AKGUzD0Lm8efgjC3jGQ5/w3eueeIQlgEndj1S6g462SWgQ==
    next
end

2. Create a policy for IKE.

FGT-A:

config firewall policy
    edit 1
        set uuid 3674c742-31e4-51e8-8d9e-5ef09ebba45f
        set srcintf "20-1"
        set dstintf "port33"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set uuid 0a558d16-31e6-51e8-72c8-ae2103dce40d
        set srcintf "30-1"
        set dstintf "port34"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

FGT-B

config firewall policy
    edit 1
        set uuid ff3324da-31df-51e8-db07-53e475ddf936
        set srcintf "20-1"
        set dstintf "internal1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set uuid 3ef847ca-31e6-51e8-c31a-f4ef5cbe1b4b
        set srcintf "30-1"
        set dstintf "internal2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3. Configure the tunnel interfaces:

FGT-A:

FGT2KE3916900014 # sh sys interface 20-1 
config system interface
    edit "20-1"
        set vdom "root"
        set ip 1.1.1.125 255.255.255.255
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type tunnel
        set remote-ip 1.1.1.165
        set role wan
        set snmp-index 43
        set interface "port33"
    next
end

FGT2KE3916900014 # sh sys interface 30-1 
config system interface
    edit "30-1"
        set vdom "root"
        set ip 2.2.2.125 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 2.2.2.165
        set role wan
        set snmp-index 44
        set interface "port34"
    next
end

 FGT-B:

FW60EJTK18000005 # sh sys interface 20-1 
config system interface
    edit "20-1"
        set vdom "root"
        set ip 1.1.1.165 255.255.255.255
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap
        set type tunnel
        set remote-ip 1.1.1.125
        set role wan
        set snmp-index 13
        set interface "internal1"
    next
end

FW60EJTK18000005 # sh sys interface 30-1 
config system interface
    edit "30-1"
        set vdom "root"
        set ip 2.2.2.165 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 2.2.2.125
        set role wan
        set snmp-index 14
        set interface "internal2"
    next
end

4. These two pairs of tunnel interfaces should be reachable from each.

FGT2KE3916900014 # execute ping 2.2.2.165
PING 2.2.2.165 (2.2.2.165): 56 data bytes
64 bytes from 2.2.2.165: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 2.2.2.165: icmp_seq=1 ttl=255 time=0.1 ms
^C
--- 2.2.2.165 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

FGT2KE3916900014 # execute ping 1.1.1.165
PING 1.1.1.165 (1.1.1.165): 56 data bytes
64 bytes from 1.1.1.165: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 1.1.1.165: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 1.1.1.165: icmp_seq=2 ttl=255 time=0.1 ms
^C
--- 1.1.1.165 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

5. On these two pairs of vpn tunnel interfaces, you could configure SD-WAN:

FGT-A:

FGT2KE3916900014 # sh sys virtual-wan-link 
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "20-1"
            set gateway 1.1.1.165
        next
        edit 2
            set interface "30-1"
            set gateway 2.2.2.165
        next
    end
end

I suggest you configure SD-WAN via GUI because it's fully functional and much easier.

6. If you need to route two same subnet via SD-WAN, there are two possible solutions, depends on your ISP. If your ISP support VxLAN, you could encapsulated your 10.0.0.0/8 from FGT-A and send it to FGT-B. If your ISP doesn't, you could use firewall VIP to solve this. But if you need to use VIP solution, you need to configure it before you configure SD-WAN. Please let me know if you need detailed information about this.

Hi Eric,

Thanks for your reply and the configuration example. About the point 6, the ISP does not support VxLAN. But yes, if you can give me further information about the VIP, it would be great. This solution is more adapted to us.

Thanks in advance,

Thomas

Hi Thomas,

Basically you need to configure:

1.  Create a VIP:

config firewall vip
    edit "1"
        set comment "loop1"
        set extip 192.168.165.165 ### This is the IP address for your remote site
        set extintf "20-1" ### This is the tunnel interface
        set mappedip "10.10.10.165" ### This is your internal subnet e.g. 10.0.0.0/8
    next
end

2. You need to create a new firewall policy to implement this VIP as destination address:

config firewall policy
    edit 3
        set srcintf "20-1" ### This is your tunnel interface, where external traffic comes in from
        set dstintf "loop1" ### This interface connect to your internal network 10.0.0.0/8
        set srcaddr "all"
        set dstaddr "1" ### This is the VIP your create in step 1
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

3. You need to configure a new static route in your remote site.

config router static
    edit 1
        set dst 192.168.165.165 255.255.255.255
        set device "20-1"
    next
end

4. Step 1,2,3, replicate in remote site.