FortiGate IPsec ADVPN with SDWAN and Dual ISPs
HTML-код
- Опубликовано: 24 июл 2024
- This tutorial teaches how to configure Auto-Discovery IPsec VPN with SDWAN where each location has two ISP connections.
Contents of this video
00:00 Introduction
On the Hub
00:57 Configure SDWAN Zone
02:10 Customize VPN Tunnels
03:16 Configure Firewall Policies
04:17 Configure VPN Tunnel IP Address
05:02 Configure iBGP
On Spoke 1
06:31 Configure SDWAN Zone
07:45 Customize VPN Tunnels
08:30 Configure Firewall Policies
09:28 Configure VPN Tunnel IP Address
On Spoke 2
10:15 Configure SDWAN Zone
11:15 Customize VPN Tunnels
11:55 Configure Firewall Policies
12:40 Configure VPN Tunnel IP Address
On Spoke 1
13:19 Configure iBGP
On Spoke 2
14:35 Configure iBGP
On Hub
15:58 Configure SDWAN Performance SLAs
17:28 Configure SDWAN Rules
On Spoke 1
18:30 Configure SDWAN Performance SLAs
19:45 Configure SDWAN Rules
On Spoke 2
20:47 Configure SDWAN Performance SLAs
21:48 Configure SDWAN Rules
On Hub and Spokes
23:00 Enable ECMP
For information about the setup in VMware Workstation, go to drive.google.com/file/d/1V2hg...
In case you are getting the Error '-9999' when changing remote gateway type of an IPsec tunnel, see the following link community.fortinet.com/t5/For...
If you have any questions or need further assistance, please feel free to leave a comment below. Don’t forget to subscribe to our channel for more helpful tutorials. 
Наука
![[Fortigate] Hub-and-spoke ADVPN using IPsec VPN wizard/Dynamically add spokes using autoconfig key](http://i.ytimg.com/vi/Qyub1MACBBQ/mqdefault.jpg)
Awesome video, thank you so much for taking the time to put this together!!
Thank you so much
Excellent run through, thankyou.
Thank you very much for the video. Super grateful!!
Thanks for the efforts to build this video. Helped me heaps!
Best Tutorial Ever... !!!
this is great! hope there will also a tutorial on how to setup a dual hub since it has a point of failure when hub FW goes down
Very informative video
This was quite informative Sir..Thank you!
Glad it was helpful!
This is most effective and valuable one thank you
Glad it was helpful!
@@verifine-academy sir do you have underlay configuration atleast connectivity diagram
@@kelumidu4116 Check the video description section
Great tutorial!
Nice to know that.
This was a masterpiece.
Thank you so much! 🙂🙂 Can you please advanced video with like "set additional-path" ... ?
Excellent job keep it up...
Thank you
Thanks for your sharing.
Thanks for watching!
Muchas gracias por la información fue muy útil y funcional. Excelente video.
Thanks for letting us know that.
Thanks for the video. Its very informative. I tried in my lab and I could use only one path between the spokes and second path does not come up though both tunnels are up. Could you please suggest?
Are you able to use both paths between a spoke and the hub? Is your ping performance SLA up for both paths?
This is a superb video. Please share the config backup if possible.
Very interesting video
Glad you liked it
One small request the ad vpn is involve lot of spokes therefore it easy to manage via fortimanager. if you think more lessons i suggest same setup doing with fortimanager as well
This is noted. Thanks
amazing...
Thank you for sharing this fantastic video. Furthermore, I just have the following question:
1) Why did you change the load-balancing mode to Weight base, and did you make any changes to the WAN links' sides at the same time?
2) Additionally, you set the ecmp-max-paths to 4. Could you kindly clarify why this was the case, and what the value would be if there were additional spoke sites, such as 4 or 5 ?
There are many load-balancing algorithms, and you can choose whichever you want. The advantage of weight-based is that the administrator has the greatest control over how much traffic should traverse each interface. The choice of 4 for the ecmp-max-paths value was arbitrary; the default value is 255. We just wanted to show where to change this setting. The value of ecmp-max-paths should be at least the number of sdwan member interfaces if you want all interfaces to participate in passing traffic.
I appreciate your reply, buddy.
What do you think of the following as well?
1) Planning to disable the current ADVPn configuration and disable the ADVPN tunnels (configured using OSPF and BGP) in order to configure the new ADVPN setup on the current firewalls.
2) Since I must complete all of my work remotely and maintain a WAN IP connection to every site, there won't be any conflicts with the current setup if I create a new SDWAN zone, add new SDWAN members with the new IP addressing, and set up VPN tunnels and BGP configuration and firewall policies. ( Exactly you refer in the video).
3) Can I also configure the SDWAN performance SLAs if the above configuration goes well? I'm concerned that moving the SDWAN zones won't prevent me from accessing the firewalls remotely?
What are your thoughts on this? I know that doing this work remotely isn't the best practise, but it would be great if you could offer any advice.
Thanks
One way to ensure you have remote access to the FortiGate firewalls is to configure Remote Access VPN on the boxes and connect to through that. You also have to ensure that reachability to the firewalls via RA VPN are independent of the SDWAN configurations.
Thanks for the great work. Can you please tell us how you setup the gateways for both WAN links? Are you used Static Routing? Adding those information may helpful for everyone.
Thanks again.
Hello. We are using OSPF as the underlay routing protocol. A link on how the lab was set up in VMware Workstation was shared in the description section of this video tutorial. Anyway I will share it with you here again: drive.google.com/file/d/1V2hgiKfvkzgmPL-FSeHglaC_rBnpAkws/view?usp=sharing
Thanks for your reply. In most case SME are getting small chunks of IP addresses with STATIC ROUTING option. Can you suggest how this solution will fit where ISP provides only static route?
Appreciate you kind response.
I noticed something, on my Spokes, the HUB network does not appear to be advertised in BGP, but I can ping it and the Firewall is forwarding it to the tunnel, is that the case or did I do something wrong?
Kindly watch the video from 14:21 going and see the output of the command "get router info bgp network" executed on Spoke1. The Hub network is also advertised as shown in the output.
Thank
I have mesh topology. I'm migrating from Paloalto to FortiGate. I need to create two tunnels to AWS/remote sites for redundancy along with BGP. How to give priority to one specific tunnel on BGP ? Can somebody help me I struck since I'm new to FortiGate.
Configure an SDWAN zone and add the two outgoing interfaces as members. Now configure an SDWAN rule using the manual strategy, then prefer on member interface over the other.
I have tried on Live kit, but I have problems. Is something necessary to enable the Overlay Routing Protocol ? My VPN is UP, I can ping the VPN Interface IP at each end, but not across the VPN, and when I do "get router info bgp summary", it is completely blank
BGP ought to be up. Kindly go through the steps in the video and make sure you did not miss any step. Let us know what happens again?
@@verifine-academy Many thanks for your reply. I went through it all again, and I had missed the All / All for the Local / Remote on the Spoke End of the Phase 2 setup
What are the advantages of this system sir? Because I am currently only using aggregate tunnels for the three sites as shown in the diagram.
Aggregate tunnels are for redundancy only. But SDWAN does more than that; it intelligently chooses the best link/path based on jitter, latency, or packet loss.
why next-hop self is not configured ?
Following your example in this video, when changing the VPN to custom and selecting dialup, it will not allow it to be created for me. I get a -9999:-9999 error every time. What OS version are you running in your example? I'm using 7.2.5 and it will not work. Any ideas?
community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Error-9999-when-changing-remote-gateway-type/ta-p/270240#:~:text=This%20article%20describes%20how%20to,an%20IPsec%20tunnel%20'SiteA'.&text=FortiOS%207.2.,0%20and%20later
If you are using Firmware 7.2 it will cause this problem, from this version onwards it is no longer possible to change Phase1 of IPSec already created, you will have to create another one, so I recommend creating it manually and not in the form of the video.
Thanks for the information
I actually got it to work for me while using the wizard as the video shows with one change - click the Edit on phase one during the verify stage before hitting the final OK. If you edit there, you can make your changes and then when you click OK, it creates without an error.
Is there any possible way to get the CLI full config for the Hub and Spokes?
Unfortunately we did not save the CLI configuration before deleting the lab
Thanks @@gyimisgyimis
Spoke to spoke cross tunnel communication is not happening
This works only for Forti OS versions before 7.2
Can I replace BGP with OSPF?
Yes
This is the best tutorial ever BUT you don’t address the issue of asymmetric routing that is reverse path check failed, deny. How do you take care of that. I have done six of these implementations & in each case I had to deploy a method to prevent asymmetric routing. If you know a simpler way to do it, I would love to learn that.
You can use manual strategy in the SD WAN rules, also do not enable load balancing for this manual strategy. Optionally, you may choose the same ISP interface as the preferred one at both ends (at Hub and Spoke)
Under BGP there is a prefareble route map when the SDWAN SLA is matched, you can use that to adjust asymmetric traffic
Is there a way to add already existing tunnels to SDWAN zones?