Use Case Explorer - FortiSASE Secure Private Access (SPA)

Update: As I was deploying my other spokes I realized spoke to spoke connectivity wasn't establishing, and routing correctly. I have added set ipv4-netmask to the IPSEC template and it's working correctly now.
 
 Now that you've secured your remote users' internet access, you have a new application in the datacenter that the remote users need access to. Normally you would have them disconnect from FortiSASE and connect to VPN, but could there be an easier way?FortiSASE Secure Private Access can provide that in conjunction with Secure Internet Access.

Resources in the video:

Hub Configuration:

config vpn ipsec phase1-interface
  edit "uv.nets"
  set type dynamic
  set interface "inet_lag"
  set ike-version 2
  set peertype any
  set net-device disable
  set mode-cfg enable
  set ipv4-dns-server1 10.100.0.20
  set proposal aes256-sha256
  set add-route disable
  set dpd on-idle
  set auto-discovery-sender enable
  set network-overlay enable
  set network-id 100
  set ipv4-start-ip 172.0.0.10
  set ipv4-end-ip 172.0.0.250
  set ipv4-netmask 255.255.255.0
  set psksecret ...
  next
 end
 config vpn ipsec phase2-interface
  edit "uv.nets"
  set phase1name "uv.nets"
  set proposal aes256-sha256
  next
 end

config system interface
  edit "uv.nets"
  set vdom "root"
  set ip 172.0.0.1 255.255.255.255
  set allowaccess ping https
  set type tunnel
  set remote-ip 172.0.0.254 255.255.255.0
  set role wan
  set snmp-index 138
  set interface "inet_lag"
  next
 end

config router bgp
  set as 65001
  set router-id 10.100.0.1
  set ebgp-multipath enable
  set ibgp-multipath enable
  set additional-path enable
  set additional-path-select 4
  config neighbor-group
  edit "uv-nets-spokes"
  set activate6 disable
  set bfd enable
  set capability-graceful-restart enable
  set next-hop-self enable
  set soft-reconfiguration enable
  set remote-as 65001
  set additional-path both
  set adv-additional-path 4
  set route-reflector-client enable
  next
  end
  config neighbor-range
  # Overlay network range
  edit 1
  set prefix 172.0.0.0 255.255.255.0
  set neighbor-group "uv-nets-spokes"
  next
  # SASE PoP Router ID subnet, still unclear if needed
  edit 2
  set prefix 172.1.0.0 255.255.255.0
  set neighbor-group "uv-nets-spokes"
  next
  end
  # Advertise our internal network(s)
  config network
  edit 1
  set prefix 10.100.0.0 255.255.255.0
  next
  end
 end

Don't forget to create a policy permitting your overlay network to whatever internal networks you're choosing.

Additional Resources:

Thank you for watching!