Configure Redundant IPsec VPN with SD-WAN


 

IPsec Tunnel Interface:

config system interface
    edit "tun1-isp1"
        set vdom "root"
        set ip 172.16.1.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 172.16.1.2 255.255.255.0
        set snmp-index 9
        set interface "port1"
    next
end
config system interface
    edit "tun2-isp2"
        set vdom "root"
        set ip 172.16.2.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 172.16.2.2 255.255.255.0
        set snmp-index 11
        set interface "port2"
    next
end
config vpn ipsec phase1-interface
    edit "tun1-isp1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set comments "VPN:  -- Created by VPN wizard"
        set wizard-type simplified-static-fortigate
        set nattraversal disable
        set remote-gw 192.168.0.109
        set psksecret ENC R9fCWqyeaUHzp0f6Vdapi/LtD+EPW1DlPJ4yIZD9kWnYa9qZrcH0pOkUcgVj68zE9vtWqWm3THdcvcV/CnZQk37YeY9lWiokdWa3qsvF7pcStqop/gD9ET+pZyCdqFb0RKf56vANDnt1/bydknXG/cOMbGKk2C6o3OwpDUOxJfBJB+4hRJZj+3TB5PoaMAQq19mJBVlmMjY3dkVA
    next
end
config vpn ipsec phase1-interface
    edit "tun2-isp2"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set comments "VPN:  -- Created by VPN wizard"
        set wizard-type simplified-static-fortigate
        set nattraversal disable
        set remote-gw 14.140.40.109
        set psksecret ENC yRP0+M+n7aixse7oobG75YVzbJ5YDlbaxmHEgtag1fy+PiGZN60A/UpI8U/o1XnkDx2DyGL/X+QqezlYuAEkW4uGdpn4lzyD+y9JLpSzyGUUk1bshaxMtmjxW5mTlQg6H3/atlMwcIaikq/DDMvGzxP28x0UqzWvzLOX4LFwPuMopcFKFonPVpdVNU/F8TzvmgRvYVlmMjY3dkVA
    next
end
config vpn ipsec phase2-interface
    edit "tun1-isp1"
        set phase1name "tun1-isp1"
        set proposal aes128-sha256
        set auto-negotiate enable
        set comments "VPN:  -- Created by VPN wizard for SD-WAN"
        set src-addr-type name
        set dst-addr-type name
        set src-name "20.20.20.0/24"
        set dst-name "10.10.10.0/24"
    next
    edit "tun2-isp2"
        set phase1name "tun2-isp2"
        set proposal aes128-sha256
        set auto-negotiate enable
        set comments "VPN:  -- Created by VPN wizard for SD-WAN"
        set src-addr-type name
        set dst-addr-type name
        set src-name "20.20.20.0/24"
        set dst-name "10.10.10.0/24"
    next
    edit "tun1-isp1-p2"
        set phase1name "tun1-isp1"
        set proposal aes128-sha256
        set auto-negotiate enable
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 172.16.1.1
        set dst-start-ip 8.8.8.8
    next 
    edit "tun2-isp2-p2"
        set phase1name "tun2-isp2"
        set proposal aes128-sha256
        set auto-negotiate enable
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 172.16.2.1
        set dst-start-ip 8.8.8.8
    next 
end 

SDWAN config:

FG (sdwan) # show
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
    end
    config members
        edit 1
            set interface "tun1-isp1"
        next
        edit 2
            set interface "tun2-isp2"
            set priority 2
        next
    end

SDWAN SLA:

    config health-check
        edit "Monitor_SLA"
            set server "8.8.8.8"
            set interval 30
            set failtime 3
            set recoverytime 3
            set members 1 2
        next
    end  

SDWAN Policy:

    config service
        edit 1
            set name "SDWAN-rule"
            set dst "10.10.10.0/24"
            set src "20.20.20.0/24"
            set priority-members 1 2
            set priority-zone "virtual-wan-link"
        next
    end  
end 

Firewall Policy:

config firewall policy
    edit 1
        set name "SD_WAN_ALLOW_OUT"
        set uuid 6d14ed54-6a72-51ef-801e-eafdb8bd0224
        set srcintf "port4"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "20.20.20.0/24"
        set dstaddr "10.10.10.0/24"
        set schedule "always"
        set service "ALL"
    next
end
config firewall policy
    edit 2
        set name "SDWAN_ALLOW_IN"
        set uuid 92244ad6-6a72-51ef-2e44-c926d9a54e6b
        set srcintf "virtual-wan-link"
        set dstintf "port4"
        set action accept
        set srcaddr "10.10.10.0/24"
        set dstaddr "20.20.20.0/24"
        set schedule "always"
        set service "ALL"
    next
end

Static Route:

config router static
    edit 1
        set distance 1
        set sdwan-zone "virtual-wan-link"
    next
end




Comments

Post a Comment

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Image
 Configure IPsec site-to-site VPN in Linux Machine: Update the system and install the package  apt update && sudo apt upgrade -y  apt install strongswan -y Check if the following kernel parameter is set or not sysctl net.ipv4.ip_forward=1 To list all configured parameters: sysctl -a root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~# Network Diagram: IPsec Config: Configure the PSK and update the VPN endpoints ++++++++++++++ cat /etc/ipsec.secrets # source      destination 192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" ++++++++++++++ cat /etc/ipsec.conf: config setup         charondebug="all"         uniqueids=yes  
Read more

TACACS+ Installation on Linux [CentOS]

 TACACS+  Installation on CentOS: In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first: [root@server ~]# cd /etc/yum.repos.d/ [root@server yum.repos.d]# vim nux-misc.repo We will create a new repository file where we can grab tac_plus. This is what you should enter: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro Save the file and install tac_plus with the following command: [root@server ~]# yum --enablerepo=nux-misc install tac_plus That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents: [root@server /]# vim /etc/tac_plus.conf You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key,
Read more

Free Radius setup/configuration in Linux [Ubuntu/CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]   1) Free RADIUS Client: CentOS:  yum install freeradius-utils Ubuntu: apt-get install freeradius-utils   2) Free RADIUS Server: Add the client device to free RADIUS server: i) vi /etc/freeradius/3.0/clients.conf  ii) Append below lines to the file above ############# client FortiGate-VM64-Xen {        ipaddr           = 192.168.0.108        secret           = testing123 } client sumit-linux-amp {        ipaddr           = 192.168.0.190        secret           = testing123 } #############   iii) Add users to the RADIUS server: Append below lines to the file "users" > vi /etc/freeradius/3.0/users #############  sumit1 Cleartext-Password := "password" sumit2 Cleartext-Password := "password"   #############   iv) restart the free RADIUS services: Ubuntu: > systemctl restart freeradius   CentOS: >  systemctl restart freeradius                   > sudo firewall-cmd --add-service={http,https,ra
Read more