Use Case Explorer - FortiSASE Secure Private Access (SPA)
Update: As I was deploying my other spokes I realized spoke to spoke connectivity wasn't establishing, and routing correctly. I have added set ipv4-netmask to the IPSEC template and it's working correctly now. Now that you've secured your remote users' internet access, you have a new application in the datacenter that the remote users need access to. Normally you would have them disconnect from FortiSASE and connect to VPN, but could there be an easier way?FortiSASE Secure Private Access can provide that in conjunction with Secure Internet Access.
Resources in the video:
config vpn ipsec phase1-interface edit "uv.nets" set type dynamic set interface "inet_lag" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 10.100.0.20 set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-sender enable set network-overlay enable set network-id 100 set ipv4-start-ip 22.214.171.124 set ipv4-end-ip 126.96.36.199 set ipv4-netmask 255.255.255.0 set psksecret ... next end config vpn ipsec phase2-interface edit "uv.nets" set phase1name "uv.nets" set proposal aes256-sha256 next end
config system interface edit "uv.nets" set vdom "root" set ip 188.8.131.52 255.255.255.255 set allowaccess ping https set type tunnel set remote-ip 184.108.40.206 255.255.255.0 set role wan set snmp-index 138 set interface "inet_lag" next end
config router bgp set as 65001 set router-id 10.100.0.1 set ebgp-multipath enable set ibgp-multipath enable set additional-path enable set additional-path-select 4 config neighbor-group edit "uv-nets-spokes" set activate6 disable set bfd enable set capability-graceful-restart enable set next-hop-self enable set soft-reconfiguration enable set remote-as 65001 set additional-path both set adv-additional-path 4 set route-reflector-client enable next end config neighbor-range # Overlay network range edit 1 set prefix 220.127.116.11 255.255.255.0 set neighbor-group "uv-nets-spokes" next # SASE PoP Router ID subnet, still unclear if needed edit 2 set prefix 18.104.22.168 255.255.255.0 set neighbor-group "uv-nets-spokes" next end # Advertise our internal network(s) config network edit 1 set prefix 10.100.0.0 255.255.255.0 next end end
Don't forget to create a policy permitting your overlay network to whatever internal networks you're choosing.
Thank you for watching!