Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
capricorn80
New Contributor II

Redundant wan link for Internet, IPSec and SSL VPN on Fortigate 5.6

Hi!

 

I have to implement redundant wan link and as per reading I think SD WAN is mostly towards load balancing. I have seen couple of videos of link monitoring and setting up redundant wan link. I also saw a video or read some where to create Zone instead of creating dual policies. Not sure if I recall well but it will be problem creating dual policies for WAN1 and WAN2.

Also my plan is to have redundancy for IPSEC and SSL VPN.

 

Can anyone guide me how to implement Reduandant link with best practices that includes less firewall rule like not creating two rule i.e. one for wan 1 and one for wan2.

How can I implement IPsec and SSL Vpn using reduandant link.

 

Thanks.

9 REPLIES 9
Ashik_Sheik
Contributor II

Hi ,

 

SD Wan is the best option for Redundant WAN Connection .You need one rule and one route as well .After adding WAN1 and WAn2 to SD wan ..you can select best loadbalancing methods .

 

Then in the policies only one policy eg : LAN to SDWAN policy need to create ..

 

Also in the route one default route need for all the SDWAN members .

 

Before adding the members to SDWAN u should remove all the interface dependencies ...

 

SSL VPN -You should select both WAN1 and WAN2 inetrface in the SSL settings ..

 

IPSEC-You should create 2 tunnel ..one under WAN1 and One under WAn2 for same destination ..

 

I gave very brief idea on each section .There are many few configuration need to perform to achieve this .Let us know if you need more info on each section .

 

Regds,

 

Ashik

Ashu 

 

Ashu
capricorn80

Thanks Ashik.

 

SD WAN is for load balancing and in our case we just want to use one line until it goes down. I can think of it having setup to use both the link and maximize the traffic on our primary link.

 

SSL VPN -You should select both WAN1 and WAN2 inetrface in the SSL settings:

 

How will this make decesion if the traffic goes via WAN1 or WAN2?

 

I am reading the docs and checking video link but if you have some doc links please share.

Ashik_Sheik

Hi,

 

SDWAN by default will give you redundancy .You can also set link load balancing where you can select weight LB .If you need primary link to take full load then give 90% weightage to WAN1 and 10% to WAN2 or you can use Spillover as well .

 

SSL VPN can be accessed by both the links simultaneously  .Better to FQDN for VPN in your public DNS and assign 2 A record WAN1 and WAn2 IP.

 

Regds,

Ashik

Ashu 

 

Ashu
arthur68tw

Hi, Ashu

May I ask a question about SSLVPN be used in SD-WAN environment. my Fortigate 100E's firmware is 6.x , and I configured two ISP's internet cables to WAN1 and WAN2. The SD-WAN is configured ok and work well. After an SSL VPN configuration completed and launched Forti-client to connect this Fortigate 100E unit. SSLVPN connect is ok but will disconnect after several minutes. I check two internet connection . One of them is down as well,  but it will up after 4 -5 seconds, and then the Forti-client appears an alarm message about the SSL VPN connection is down. I can reconnect the SSL VPN from Forti-client. But the same disconnect issue will be repeat again. Google someone solved it by adding  instructions as below, 

 

config vpn ssl settings set route-source-interface enable end

but I can't find out the "route-source-interface" parameter in the set command. any suggestion about this issue?

 

Regds

 

Arthur68tw

rdumitrescu

@Arthur68tw

In 6.x firmware you should use this command:

config system interface

edit <port..>

set preserve-session-route enable

end

arthur68tw

Hi, rdumitrescu

Thanks for your reply. It solved my problem. now a new firmware version 6.0.4 is released. Should I upgrade it since I searched this problem yesterday in the forum and found someone can't solve this problem by adding these instructions at version 6.0.3

P.S. my version is 6.0.2

Regards

 

Arthur68tw

rdumitrescu

Were did you read that in 6.0.3 the command is not working? Can you post a link to the thread?

It should work unless there is a software bug that I am not aware of.

arthur68tw

Hi, rdumitrescu

this is the URL I google "https://forum.fortinet.com/tm.aspx?m=153209". someone mentions 6.0.3 didn't fix this issue at the last post. 

 

Regards

 

 

raul_garcia_jim

Hi, I have a similar isssue, I have a External VDOM with two PPPoE interfaces over SDWAN, I try to use a to SSLVPN over one PPPoE but not working, I not see the sslvpn portal from internet, I review the logs and see that this traffic is deny for local-in-policy, ¿any idea? My version is 6.0.4.

 

Thanks

Regards

Labels
Top Kudoed Authors