Hot!Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6

Author
capricorn80
Silver Member
  • Total Posts : 74
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/17 05:05:31
  • Status: offline
2018/09/02 09:54:53 (permalink)
0

Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6

Hi!
 
I have to implement redundant wan link and as per reading I think SD WAN is mostly towards load balancing. I have seen couple of videos of link monitoring and setting up redundant wan link. I also saw a video or read some where to create Zone instead of creating dual policies. Not sure if I recall well but it will be problem creating dual policies for WAN1 and WAN2.
Also my plan is to have redundancy for IPSEC and SSL VPN.
 
Can anyone guide me how to implement Reduandant link with best practices that includes less firewall rule like not creating two rule i.e. one for wan 1 and one for wan2.
How can I implement IPsec and SSL Vpn using reduandant link.
 
Thanks.
#1

9 Replies Related Threads

    Ashu
    Gold Member
    • Total Posts : 146
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Doha,Qatar
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2018/09/02 13:10:51 (permalink)
    0
    Hi ,
     
    SD Wan is the best option for Redundant WAN Connection .You need one rule and one route as well .After adding WAN1 and WAn2 to SD wan ..you can select best loadbalancing methods .
     
    Then in the policies only one policy eg : LAN to SDWAN policy need to create ..
     
    Also in the route one default route need for all the SDWAN members .
     
    Before adding the members to SDWAN u should remove all the interface dependencies ...
     
    SSL VPN -You should select both WAN1 and WAN2 inetrface in the SSL settings ..
     
    IPSEC-You should create 2 tunnel ..one under WAN1 and One under WAn2 for same destination ..
     
    I gave very brief idea on each section .There are many few configuration need to perform to achieve this .Let us know if you need more info on each section .
     
    Regds,
     
    Ashik
    #2
    capricorn80
    Silver Member
    • Total Posts : 74
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/17 05:05:31
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2018/09/02 13:36:15 (permalink)
    0
    Thanks Ashik.
     
    SD WAN is for load balancing and in our case we just want to use one line until it goes down. I can think of it having setup to use both the link and maximize the traffic on our primary link.
     
    SSL VPN -You should select both WAN1 and WAN2 inetrface in the SSL settings:
     
    How will this make decesion if the traffic goes via WAN1 or WAN2?
     
    I am reading the docs and checking video link but if you have some doc links please share.
    post edited by capricorn80 - 2018/09/02 13:38:54
    #3
    Ashu
    Gold Member
    • Total Posts : 146
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Doha,Qatar
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2018/09/03 00:41:32 (permalink)
    0
    Hi,
     
    SDWAN by default will give you redundancy .You can also set link load balancing where you can select weight LB .If you need primary link to take full load then give 90% weightage to WAN1 and 10% to WAN2 or you can use Spillover as well .
     
    SSL VPN can be accessed by both the links simultaneously  .Better to FQDN for VPN in your public DNS and assign 2 A record WAN1 and WAn2 IP.
     
    Regds,
    Ashik
    #4
    arthur68tw
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/18 00:54:06
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2019/02/18 01:27:50 (permalink)
    0
    Hi, Ashu
    May I ask a question about SSLVPN be used in SD-WAN environment. my Fortigate 100E's firmware is 6.x , and I configured two ISP's internet cables to WAN1 and WAN2. The SD-WAN is configured ok and work well. After an SSL VPN configuration completed and launched Forti-client to connect this Fortigate 100E unit. SSLVPN connect is ok but will disconnect after several minutes. I check two internet connection . One of them is down as well,  but it will up after 4 -5 seconds, and then the Forti-client appears an alarm message about the SSL VPN connection is down. I can reconnect the SSL VPN from Forti-client. But the same disconnect issue will be repeat again. Google someone solved it by adding  instructions as below, 
     
    config vpn ssl settings
    set route-source-interface enable
    end
    but I can't find out the "route-source-interface" parameter in the set command. any suggestion about this issue?
     
    Regds
     
    Arthur68tw
    #5
    rdumitrescu
    Bronze Member
    • Total Posts : 35
    • Scores: 11
    • Reward points: 0
    • Joined: 2014/12/02 08:06:13
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2019/02/18 02:02:54 (permalink)
    0
    @Arthur68tw

    In 6.x firmware you should use this command:
    config system interface
    edit <port..>
    set preserve-session-route enable
    end
    #6
    arthur68tw
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/18 00:54:06
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2019/02/18 17:07:33 (permalink)
    0
    Hi, rdumitrescu
    Thanks for your reply. It solved my problem. now a new firmware version 6.0.4 is released. Should I upgrade it since I searched this problem yesterday in the forum and found someone can't solve this problem by adding these instructions at version 6.0.3
    P.S. my version is 6.0.2
    Regards
     
    Arthur68tw
    #7
    rdumitrescu
    Bronze Member
    • Total Posts : 35
    • Scores: 11
    • Reward points: 0
    • Joined: 2014/12/02 08:06:13
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2019/02/19 02:32:43 (permalink)
    0
    Were did you read that in 6.0.3 the command is not working? Can you post a link to the thread?
    It should work unless there is a software bug that I am not aware of.
    #8
    arthur68tw
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/18 00:54:06
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2019/02/19 17:17:29 (permalink)
    0
    Hi, rdumitrescu
    this is the URL I google "https://forum.fortinet.com/tm.aspx?m=153209". someone mentions 6.0.3 didn't fix this issue at the last post. 
     
    Regards
     
     
    #9
    raul.garcia.jim
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/05 05:54:17
    • Status: offline
    Re: Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6 2019/03/05 06:05:29 (permalink)
    0
    Hi,

    I have a similar isssue, I have a External VDOM with two PPPoE interfaces over SDWAN, I try to use a to SSLVPN over one PPPoE but not working, I not see the sslvpn portal from internet, I review the logs and see that this traffic is deny for local-in-policy, ¿any idea?
    My version is 6.0.4.
     
    Thanks
    Regards
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5