Update: As I was deploying my other spokes I realized spoke to spoke connectivity wasn't establishing, and routing correctly. I have added set ipv4-netmask to the IPSEC template and it's working correctly now. Now that you've secured your remote users' internet access, you have a new application in the datacenter that the remote users need access to. Normally you would have them disconnect from FortiSASE and connect to VPN, but could there be an easier way?FortiSASE Secure Private Access can provide that in conjunction with Secure Internet Access.
Resources in the video:
Hub Configuration:
IPSEC:
config vpn ipsec phase1-interface
edit "uv.nets"
set type dynamic
set interface "inet_lag"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 10.100.0.20
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 100
set ipv4-start-ip 172.0.0.10
set ipv4-end-ip 172.0.0.250
set ipv4-netmask 255.255.255.0
set psksecret ...
next
end
config vpn ipsec phase2-interface
edit "uv.nets"
set phase1name "uv.nets"
set proposal aes256-sha256
next
end
Tunnel Interface:
config system interface
edit "uv.nets"
set vdom "root"
set ip 172.0.0.1 255.255.255.255
set allowaccess ping https
set type tunnel
set remote-ip 172.0.0.254 255.255.255.0
set role wan
set snmp-index 138
set interface "inet_lag"
next
end
BGP:
config router bgp
set as 65001
set router-id 10.100.0.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
config neighbor-group
edit "uv-nets-spokes"
set activate6 disable
set bfd enable
set capability-graceful-restart enable
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 65001
set additional-path both
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
# Overlay network range
edit 1
set prefix 172.0.0.0 255.255.255.0
set neighbor-group "uv-nets-spokes"
next
# SASE PoP Router ID subnet, still unclear if needed
edit 2
set prefix 172.1.0.0 255.255.255.0
set neighbor-group "uv-nets-spokes"
next
end
# Advertise our internal network(s)
config network
edit 1
set prefix 10.100.0.0 255.255.255.0
next
end
end
Don't forget to create a policy permitting your overlay network to whatever internal networks you're choosing.
Additional Resources:
Thank you for watching!
Comments