- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SD-WAN redundant routing question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN redundant routing question
I have a high level question if a scenario is possible.
I have 2 main head office sites, with a traditional MPLS link connecting the 2, lets call them site A and site B, each site also has a leased line for internet access. Each site has a 300D HA pair for corporate firewall.
I also have remote offices with a DSL internet connection and VPN connectivity to site A, using Fortigate 60E DSL.
Is it possible to configure resilient VPN connectivity / SD-WAN so that if the internet leased line to site A fails, the remote office can still access resources on site A, via VPN to site B and across MPLS?
Each site has unique internal address, lets say 10.1.x.x/16 for site A, 10.2.x.x/16 for site B and 10.3.x.x/16 for remote site, the routing on the MPLS forwards traffic for 10.3.x.x/16 to site A, as traffic is expected to route from this firewall / VPN endpoint, traffic from site B to remote site is required so I can't change MPLS routing.
It's all a bit blue sky thinking right now, wondering if anyone has done the same.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure how SD-WAN fits in your situation while FGT's SD-WAN is mainly focusing on multiple/redundant connectivity & monitor/control for Cloud-resources. I don't have any experience how it would control traditional VPN traffic&redundancy over it. Somebody else might be able to answer.
But your situation is a traditional dynamic routing situation. What we do for that kind of situation (actually that's our business) is to set up dynamic routing protocol, specifically eBGP among all three locations over MPLS connectivity including VPNs so that we can manipulate preference one path over the other using communities, which we can't do with OSFP.
But if you haven't dealt with any routing protocol and strictly been using static routes, I would set two static routes for the same destination like 10.3/16 with different distance or priority to both VPNs. When the primary site-A VPN comes down, the secondary site-B VPN route would be used.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually that covers only one direction. You also need to set another set of static routes with different distance or priority to get back to the remote location from the Site-A: one toward the direct VPN for primary, and another toward Site-B for secondary.
That's the reason we use BGP. It's automatic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And, of course, Site-B needs to have a static route for the remote location toward the VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You are correct i have very little experience of BGP, it's managed for me on the MPLS, and on my kit I just use static routes.
I think I have a solution:
**I am going to create an additional VPN between site A and site B across the MPLS, but not having any static routes across the VPN for site to site traffic.
**I then create VPN between remote site and each of site A and site B across internet, have weighted routes at site A traffic to remote site over least cost / distance direct VPN, higher cost / distance route over the site A-B VPN, have have weighted routes at remote site a traffic to site A over least cost / distance direct VPN, higher cost / distance route to site B.
**I then create policy based routes at site B that everything ingress from site AB VPN route to remote site VPN, everything ingress from remote site VPN route to site AB VPN.
Worst case scenario is that traffic from site B to remote site needlessly has to cross the MPLS twice if the failover is in affect, but I don't have to change routing on MPLS and *I think* it will work.
Related Posts
- Performance of a "software switch" with... 190 Views
- Policy based routing questions 373 Views
- SSID quarantine host question 289 Views
- SD-WAN DUAL-HUB-BGP 301 Views
- L2TP VPN and HA 201 Views
Labels
-
FortiGate
6,450 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.