top of page
Writer's pictureMatt Sherif

Use Case Explorer - FortiSASE Secure Private Access (SPA)

Update: As I was deploying my other spokes I realized spoke to spoke connectivity wasn't establishing, and routing correctly. I have added set ipv4-netmask to the IPSEC template and it's working correctly now. Now that you've secured your remote users' internet access, you have a new application in the datacenter that the remote users need access to. Normally you would have them disconnect from FortiSASE and connect to VPN, but could there be an easier way?FortiSASE Secure Private Access can provide that in conjunction with Secure Internet Access.




Resources in the video:


Hub Configuration:

IPSEC:

config vpn ipsec phase1-interface
    edit "uv.nets"
        set type dynamic
        set interface "inet_lag"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 10.100.0.20
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 100
        set ipv4-start-ip 172.0.0.10
        set ipv4-end-ip 172.0.0.250
        set ipv4-netmask 255.255.255.0
        set psksecret ...
    next
end
config vpn ipsec phase2-interface
    edit "uv.nets"
        set phase1name "uv.nets"
        set proposal aes256-sha256
    next
end

Tunnel Interface:

config system interface
    edit "uv.nets"
        set vdom "root"
        set ip 172.0.0.1 255.255.255.255
        set allowaccess ping https
        set type tunnel
        set remote-ip 172.0.0.254 255.255.255.0
        set role wan
        set snmp-index 138
        set interface "inet_lag"
    next
end

BGP:


config router bgp
    set as 65001
    set router-id 10.100.0.1
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set additional-path-select 4
    config neighbor-group
        edit "uv-nets-spokes"
            set activate6 disable
            set bfd enable
            set capability-graceful-restart enable
            set next-hop-self enable
            set soft-reconfiguration enable
            set remote-as 65001
            set additional-path both
            set adv-additional-path 4
            set route-reflector-client enable
        next
    end
    config neighbor-range
        # Overlay network range
        edit 1
            set prefix 172.0.0.0 255.255.255.0
            set neighbor-group "uv-nets-spokes"
        next
        # SASE PoP Router ID subnet, still unclear if needed
        edit 2
            set prefix 172.1.0.0 255.255.255.0
            set neighbor-group "uv-nets-spokes"
        next
    end
    # Advertise our internal network(s)
    config network
        edit 1
            set prefix 10.100.0.0 255.255.255.0
        next
    end
end

Don't forget to create a policy permitting your overlay network to whatever internal networks you're choosing.


Additional Resources:


Thank you for watching!

221 views0 comments

Recent Posts

See All

Comments


bottom of page