Helpful ReplyHot!Create VPN tunnels with two WAN link.

Author
downlinkvip
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 18:02:31
  • Status: offline
2020/01/15 05:30:42 (permalink)
0

Create VPN tunnels with two WAN link.

Hi guys,
 
I haven't implemented this thing before. So please tell me if it is possible to implement like below:
Our Fortigate at HQ has two FTTH WAN lines (WAN1, WAN2). I have configured two default routes with the same distance but different priority (we has some DMZ servers, so we want access to these servers by VIP on both two WAN link).
 
At the branch, we just have one FTTH WAN (WAN1). Currently, we just have IPSEC VPN site-to-site-tunnel from WAN1 of the Branch Firewall to WAN1 of HQ Firewall named it "VPN tunnel 1".
 
Is it possible to create another IPSEC VPN site-to-site tunnel, eg: from WAN1 of the Branch Firewall to WAN2 of HQ Firewall. I attached sample topology for refer. Thanks for reading.

Attached Image(s)

#1
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/15 14:56:45 (permalink)
1 (1)
Yes, you can do that and use a routing protocol for example over the tunnels for the local/remote subnets that are carrying the phase2-TS.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#2
downlinkvip
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 18:02:31
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/15 20:36:51 (permalink)
0
Hi @emnoc,
 
Thanks for reply. I want to understand more about this, for example, I set up a default route (with lower priority) through WAN1, so all VPN setup packet must go through WAN1 (default route) first or it can use its own default route (with higher priority) to reach the WAN1 (branch Firewall). Please help.
#3
Yurisk
Silver Member
  • Total Posts : 100
  • Scores: 22
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/16 03:21:57 (permalink)
0
You have 2 (mostly) unrelated steps here:
1. You set up 2 IPsec tunnels from the branch to the HQ that should be up.
2. Now, once step 1 is done you will have 2 VPN interfaces in Network tab corresponding to 2 IPSec tunnels , through which interface you route the remote LANs is up to you. If you run dynamic routing protocol then you use priorities of the given routing protocol. If, on the other hand, you use static routes, then add routes to remote LANs via both VPN interfaces, but set different priority on one of the routes to force all IPsec traffic to pass the specific IPsec tunnel. If that prioritized Ipsec tunnel goes down, FG will delete the route to remote LANs through it, and will install the 2nd route via 2nd tunnel.
#4
downlinkvip
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 18:02:31
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/16 04:16:02 (permalink)
0
Hi Yurish,
 
I want to clear about how packet flows in this case. As I said, "I have configured two default routes with the same distance but different priority" (default route WAN1 is preference). So even if I can create the second IPSEC VPN successfully, does the data come on WAN2 HQ - WAN 1 branch VPN really go through WAN2 link (at HQ firewall)?.
 
This is what I mean. For example, an IPSEC packet go from HQ to branch. The GRE destination IP is WAN1 IP of  branch FW, GRE source IP is WAN2 IP of HQ FW. But to reach WAN1 IP of branch FW, we need to go through prefer default route (in this case through WAN1). So traffic really come through WAN1, not WAN2. Please help me clarify it.
 
#5
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/16 08:05:41 (permalink) ☄ Helpfulby downlinkvip 2020/01/16 18:12:05
0
What do mean by default route? Are you planning on routing the branch local lan traffic across the two tunnels? Again if  yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE ) and then use a routing protocol ( OSPF or RIP ) and inject a default route to the branch.
 
At the branch you  will advertise a local-LAN network(s) only and and they you control traffic with policies at branch and HQ. You can adjust what ipsec tunnel you would use by either metric/priority or even RIP offset.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#6
sw2090
Expert Member
  • Total Posts : 751
  • Scores: 56
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/16 08:08:44 (permalink) ☄ Helpfulby downlinkvip 2020/01/16 18:12:01
0
traffic follows your route - with static routes - it will always use the route with the lowest prio if there is more than one route to the destination subnet or host. The route(s) to the subnet(s) at branch you want to reach from HQ refer to the corresponding ipsec tunnel interface  as destination. The tunnel itself is tied to a specific wan interface. So traffic to the subnet will get ipesc encapsulated and then flow out through the wan the tunnels is tied to.
 
If the route with the lowest prio cannot be used because gateway is not available e.g. the FGT will use the one with the next lower prio. if there is no other route available it will state "no route to host".
 
I do that with our branches this way:
 
I have two ipsec tunnels to the branch - each using a different wan at HQ and Branch
And I have two routes with different prio for every subnet I want to access at Branch.
FGT then will alays use the route with lowest prio and if that is down it will be deleted and the other one is used (needs a few seconds to change). Once the first one comes back up routing will switch back again.
#7
downlinkvip
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 18:02:31
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/16 18:38:47 (permalink)
0
Hi @emnoc, @sw2090.
 
The default route here is default route on HQ firewall (please refer to my attached image, in this case it through WAN1). Eg, I have subnet B on the branch. And I config on HQ FW a static route point to the subnet B through VPN2 (WAN2 HQ to WAN1 branch). Does the traffic (from HQ to subnet B at branch) really go out WAN2 port (because the VPN2 tied to WAN2 at HQ)? 
 
 @emnoc,
Please explain more "Again if  yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE )"
 
Please help me to clear. Thanks much.
 
 
post edited by downlinkvip - 2020/01/16 19:01:31
#8
sw2090
Expert Member
  • Total Posts : 751
  • Scores: 56
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/16 23:22:44 (permalink) ☄ Helpfulby downlinkvip 2020/01/17 01:15:52
0
yes it will as vpn2 is tied to the wan. Packets over vpn2 will leave through the wan the vpn2 is tied to at HQ and will go to the wan vpn2 is tied to at branch (as that is the remote gateway).
#9
downlinkvip
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 18:02:31
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/17 01:18:12 (permalink)
0
Hi @sw2090,
So even on HQ FW, we have default route (through WAN1). But if traffic go trough VPN2, it will go out WAN2 port?. But how WAN2 port knows how to reach WAN1 at branch FW, is it just send traffic to other  site of the link (ISP site) ?. Please help. 
#10
sw2090
Expert Member
  • Total Posts : 751
  • Scores: 56
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/17 01:46:07 (permalink) ☄ Helpfulby downlinkvip 2020/01/17 06:48:04
0
yes it does. You tied VPN2 to WAN2 so the FGT knows that ipsec packets for or from VPN2 have to go via WAN2.
WAN2 does not need to know WAN1 at branch because VPN2 at HQ knows that its opposite end (i.e. remote gateway in the ipsec tunnel settings) is WAN1 at branch FW.
So VPN2 at HQ will send tunnel packets to VPN2 at branch and they go out via WAN2 at HQ and will reach branch via branch WAN1.
 
#11
downlinkvip
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 18:02:31
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/17 07:02:23 (permalink)
0
Hi @sw2090,
 
1. I did a lab (on EVE-NG) for this case and it is exactly like you wrote. The traffic go to branch subnet (through VPN2) will go out WAN2 port. Thanks much.
2. I also test the case when I just configure one default route (through WAN1 at HQ FW). In this case, the tunnel VPN2 go down and HQ FW not forward traffic out the WAN2 port. So, Can it only create two VPN (for two WAN at HQ FW) if we configure two default route for each WAN link (maybe same distance/same priority or same distance/different priority)? Please help again.
 
 
 
#12
sw2090
Expert Member
  • Total Posts : 751
  • Scores: 56
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/17 07:15:23 (permalink)
0
The only way to have only one default route I know is to use sd-wan.
Then there is only one default rooute via sd-wan whilte tunnls still are tied to wan.
#13
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/17 07:32:52 (permalink)
0
 The only way to have only one default route I know is to use sd-wan.

 
ECMP would be an option that is support and will require  few little effort to setup.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#14
Jirka
Gold Member
  • Total Posts : 167
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Create VPN tunnels with two WAN link. 2020/01/17 10:17:20 (permalink)
0
sw2090
The only way to have only one default route I know is to use sd-wan.
Then there is only one default rooute via sd-wan whilte tunnls still are tied to wan.




Hi,
this is not quite true - see. my problem with SD-WAN and two IPsec tunel from branch to hq: https://forum.fortinet.com/tm.aspx?m=181462
Of course I have no idea which version of FortiOS "downlinkvip" is using. My problem was 6.2.2 and 6.2.3
 
 
Jirka



#15
Jump to:
© 2020 APG vNext Commercial Version 5.5