23. Configuring Hub and Spoke VPN with SD-WAN FortiGate 6.2
Published June 14, 2023, 1:20 p.m. by Courtney
Another video focusing on building our topology. In this Video we configure the HQ FortiGate and the Remote NYC FortiGate so the management subnets can reach reach other. We also create the SD-WAN rules so the best tunnel is always used.
Lastly, I apologize for the end of the video where I broke the Health Checks on the HQ FortiGate. Think of it as a bonus troubleshooting example ;-)
You may also like to read about:
hey guys welcome back to another video
my name is Devin Adams I'm afford
instructor here in Tempe Arizona for
dynamic worldwide and I make these
videos for the people who take my class
so it's it's the end of the weekend I
thought to myself man we gotta like we
kind of record some more videos I don't
know who this we is I just also notice
that in my comments - I'm always
referring to like we maybe it's me and
my spiritual 40 duck I have no idea
anyways guys in the last video we
created the DMZ we created a web server
here in our DMZ we protected it with the
Web Application Firewall and we also did
some auto banding with IP addresses
right so if you know someone maliciously
floods this server it gets pretty much
on a quarantine list right so not too
bad
so anyways moving along because the
whole goal here was to get through some
some demos that I've been promising
forever and believe it or not I'd done a
few you know obviously the the ibgp and
also the auto banding has been requested
but let's just take a moment and do one
more video just for the sake of building
up our infrastructure our topology okay
so basically guys we have these two
remote sites from New York City in Texas
okay and then we also have our main
headquarters here in Arizona these are
all make-believe of course and I'm using
these 10200 IP addresses to to
make-believe make-believe when publicly
routable IP addresses anyways but so far
we've done nothing with our VPN tunnels
at all all we've done is pretty much
routing and we've been able to ping you
know our loop X between our our sites we
haven't we haven't really been passing
traffic between them now our ten
whatever one networks depending on the
size it's supposed to be like a
management a management / server subnet
okay and we and the goal for this is
we are going to make sure that we can
connect to our headquarters and be able
to reach this web server right here so
we're basically gonna write the firewall
rules to let that happen and hopefully
the routing is already in place so we
don't really need to do anything else
okay so and what's nice about this too
is because we have the health checks on
the VPNs already essentially it will
take whatever tunnel has the best you
know connection when it comes to our VPN
tunnels so we just got to write the
rules so a lot of this magic actually
happens here at the headquarters we got
to write the rule to let it come from
the SD win aka our VPN tunnels into this
network here all right and then we also
need a write a rule so the hub and
spokes can talk to each other I mean the
two spokes can talk to each other all
right and we're just doing that for for
giggles I don't know if I don't know if
we'd really have that in our
infrastructure I don't know if there's
anything here in Texas or New York City
we'd need but anyways that's gonna be
our goal so why don't we just be quiet
and get to it so I'm gonna go ahead and
I'm gonna log into my FortiGate now it's
been a few it's been a while since I've
messed with this topology so hopefully
everything's working I'm always a little
bit hesitant when it's been a couple of
days unable the contact server to see
exactly what I'm talking about so let's
go ahead and see what's going on here
all right doo doo doo doo that was kind
of weird all right it was just tired
sure so all right so here we go so let's
go ahead and really the heart of this
guy's is gonna be our firewall rules all
right so we know that we set up the sd1
and the sd1 tells us all right here we
go that we have these four we have these
four connections look at that New York
City's down was I messing with something
I think I was anyways we have these four
tunnels these are suppose our for
connections he's supposed to be waiting
connections and these are supposed to be
our VPN tunnel
all right they're all lumped together
here in our in our topology okay now
these st Wayne rules alright basically
is saying how the traffic should be
directed and if you notice here we have
essentially you know if you're trying to
go out to the Internet's go to these
sites here okay now we're gonna make a
rule that essentially says all right
traffic that is coming from or going to
these remote sites always pick the best
connection so I thought we had the VPN
rules but I think I might have taken
them out so why don't we go ahead and do
that right now alright so here I'm gonna
say to New York City
alright so the source address is going
to be anything that's coming from our
management network okay going to and now
here's the thing did have I made the the
New York internal IP addresses I don't
think I have so why don't we go ahead
and do that alright and I'll I don't
know what color to make those maybe
orange I don't have a clue here we go
so sit great new and we're gonna do an
address all right and we'll say New York
City manage mint subnets or something
like that all right so this way it at
least knows about it I don't know why
I'm so obsessed with that color I swear
we used orange for something else you
know what will make it fuchsia because
it's probably hard to see on on YouTube
alright here we go
alright so now here though we're gonna
say the best quality between these two
links here all right and the measured
SLA look at that we actually have a New
York City which I misspelled alright
latency jitter packet loss bandwidth
will do it for latency alright so at
least we now know that it will always
pick the best path going to New York
City now don't forget though guys these
are top-down rules
what alright so there we go okay
now if we wanted to we could also I just
realized okay add also any traffic going
from any direction so from New York City
in other words I can say I'm here we go
we'll just make this bi-directional
right this way I don't have to write to
firewall rules for for the New York
traffic so both directions so I'm gonna
actually change that name and just call
it New York City VPN QoS all right there
we go
what all right now just because I have
to troubleshoot that New York office and
why it's down just because we have the
rules here doesn't mean it's allowed
nothing happens until we actually write
what a firewall policy so let's go ahead
and do that okay so let's go to our
policy and objects IP for policy okay
and then this thing's gonna be pretty
messy all right but essentially we do
already have a management 2sd way on
okay but I believe this is for the
internet so now we can't use this
believe it or not and the reason why is
because it's being added
we don't net our internal addresses all
right so we're gonna have to make a a
new firewall rule okay let's go ahead
and do that and we'll call this I'll
just call it a VPN to HQ all right so
our incoming interface because it's
coming to the HQ is going to be our SD
win all right our our outgoing interface
is going to be our management our source
okay right now all we have is New York
all right our destination is going to be
management
okay services now obviously we we limit
it to what is needed guys I'm just being
lazy
okay so let's turn off this NAT because
that's the whole point
alright boom there we go okay so we got
the rule from our sites going to okay so
don't forget the more granular stuff
always goes on top it looks like we did
have a rule here for the the VIP all
right I don't even know if we need that
to be to be honest with you so I'll
explain that a little bit here later but
let's go ahead and right-click and I
love this we can actually clone the
reverse of matting's turned off I mean
how cool is that so let's open this up
and we'll actually say VPN and this time
it's going to be two remotes sites
whatever so alright cool cool okay Nats
turned off alright enable the policy
good times
alright and just to make sure that hits
the VPN tunnel before it goes out so
that's all it has to go above the the
rule alright so believe it or not that
that should be it for the H Q side of
things now we have to do it from the New
York side so let's go over to New York
City alright here it is like I said it
has been like a week since I've been in
these machines maybe it's dead I don't
know alright so but let's go to our 10.2
dot 1.25 4 Wow look at that
what an address 10.2 dot 1.25 4 and that
should be our four two gates if I
remember right maybe like I said it's
been a while so yep that looks like it
was it so we'll go ahead and we'll I
will log in here I don't blame it being
a little bit
like I said it's been a while since I've
logged in so here we go and once again
let's go ahead and take a look at the
the VPN rule alright in the SD win and
then we'll also do the what you call it
the firewall rules after that and so all
right we'll just give it a second here
to kind of wake up here we go and we'll
come down here to our network and we'll
do our SD win just to make sure that our
interfaces are there alright and like I
said I have no idea why that's down was
I doing like an example or something
like that
you guys can always go to the
performance essays to to to really see
what's going on so and it just looks
like it's just not going over that port
one so alright that's that's awesome
anyways and by the way it looks like
port 1 is completely down so here we go
you know why it looks like yeah it's not
even plugged in come on Devon geez
alright there's nothing like physical
layer problems alright anyway that's the
big mystery
ok so let's go to Rusty wind rules all
right here we go and let's see what's
going on here so looks like we have two
all right now we did have the loopback
check ok this was just simply a helper
to ping it through and in just a test
connectivity believe it or not we don't
even need that anymore all right so I'm
actually gonna edit this rule and just
use it I'm gonna recycle it so there we
go
Oh cute I don't even know why I did that
actually I dunno why is because no I
don't I actually have no idea why I did
that I was gonna say because I brought
up that I brought up the second
interface but shouldn't have kicked me
out of management
here we go it's just cuz I don't edit
these and it makes me look like a turkey
alright so once again we'll go to our
network alright we'll go to our our
rules here it is cool
double click this bad boy alright and
we're just gonna rename this to VPN to
HQ alright so the source address is
obviously going to be our management
subnets now we don't have anything for
HQ here so why don't we create it ok
and I'll just say HQ subnet and it
should technically be HQ management
subnets there we go depending on how
granular you wanted to be now we could
have used summation
anyways because everything from the
sites come from those two octets but
whatever I'm just being picky good ol
fusia alright now remember I'm doing it
in both directions here so I don't have
to write two rules alright so here we go
and instead of the loopback address we
are going to use our management subnet
and HQ so this will guarantee quality
right between both directions alright so
for both directions and we'll say best
quality instead of using just wound pick
old tunnels okay and the SLA for that is
going to be our VPN check look at that
I've misspelled it again Oh guys I'm
just I'm just awesome ok here we go
so BAM baby
so there we go we got the rule in there
for our rqs okay let's write our
firewall rule so let's go down to our
let's go down here to our policy and
objects let's go to the IP for policies
okay I have no idea what I got going on
here there shouldn't be much so we have
the SD win going to the loopback now we
did this when we're pinging our our
connectivity all right we technically
don't really need that I was just using
it to test it so you know what we're
gonna recycle it here we go
so we're just gonna say VPN ah to HQ
alright because I guess it should be
from HQ from HQ okay so it's gonna pop
out of the SD win and then it's going to
hit our management Network alright
source because it's coming from HQ
destination because it's going to our
management subnet okay and it looks like
we're just having ping here we're gonna
do all all right don't eat gnats perfect
okay good times good times all right
there we go
let's clone it like a sheep here we go
all right and then this is gonna be the
the from so we'll say VPN from our
weights that should have been to HQ the
other one should have been from HQ not
to HQ oh I want to feel let me do it
with the dupe name I'm not too sure
we'll find out do delete to do oh yeah I
did do from you know what I need some
coffee or something
alright so so there you guys go I mean
technically speaking we should have
connectivity I should be able to access
that web
server now over here in the management
management website I can't even remember
what that that IP address was to be
honest with you
what was that IP address come on 10115
all right let's see if we can reach it
so cool life so we'll come over here and
if everything worked out right oh so
close
don't forget guys yeah they are top-down
rules I almost just mess that up all
right here we go okay so 10.1.1.10
so there you guys go we have connections
to headquarters from New York City all
right
lust that's it from the other side all
right not too bad doing it on the oh I'm
just laughing cuz these things never go
smooth
all right here we go so command let's go
ahead and just ping the internal
interface that of that other forty gates
so huh there you go didn't like it
yeah Oh weird I wonder why I got one
direction I just didn't get to the other
direction let's see why here so we have
our management's IP address going to our
subnets
yeah yeah known adding yeah yeah looks
good looks good all right I don't have
ping access turned off I shouldn't let's
take a look so we know it's working from
this direction
for example I can go to my terminal
right when I said these videos never go
smoothly
alright here we go two five four okay
okay that's just weird because yeah that
is weird what's going I reached this
website all right here we go so we have
subnet always services all services all
from - all right from we got our HQ
management subnet which is 10110 slash
24 all right and then here we have our
10 - 1 24 perfect alright and that is
from HQ now 2 is source is us
destination is them this firewall policy
alright not disabled yeah look at that
no traffic well I guess I gotta hit
refresh right there should be some
traffic cuz I loaded up the web page
right here geez
anyways look at that yeah
just magically started working did I
have to like turn away for us
alright so that's working from that
direction I have no idea why why the
other direction isn't though so once
again we have st wind going to our
management ports all right so our source
is there our destination is here let me
just make sure that my my interface does
have ping access turned on and it should
let's go to physical interfaces and if
you guys notice here my port 3 does have
ping access so I should be able to hit
it from from the New York side alright
so here we go so VPN to HQ alright so we
have our our New York City subnets going
to management allowing it
all right and then here we have
management's going to New York City
allowing it and then our services is all
now that should be working I don't know
why that's not working that's
interesting so we have one direction we
just don't up the other direction so
cute anyways let me make sure that my
tunnels are up - let me go down here to
my VPN let's go to my IPSec tunnels yeah
we got one we got one direction up I
don't know why that's not not going out
so I'm wondering is there something else
we can try pinging what is the IP
address of this bad boy
there we go
I have config 1021 10 all right let's
try that one instead so like I said I
don't want to bust out the debug
commands but I will all right now that
should be working I don't know why
that's dropping to be honest with you
huh interesting
so once again let's just make sure that
all is right with the world here so
let's go to our let's go to our policy
and objects okay IP for policy so we
have it working one direction just not
the other direction so st1 going into
our management boards New York City
subnets so that is right that is right
do we have something else
that thing's not not killing it is it no
because of the loopback address we don't
need that by the way we can actually
just kill it wait a second wait a second
didn't we do our health checks with the
loopback oh oh no you know what I think
that's why maybe maybe not
let's go to our um let's go here let's
go to our performance s LA's ah see dang
it so what happened here is that I had
the loop X being the TAS and I deleted
the loopback rule so essentially it took
it down now the tunnels are up so it
came in from the New York side it just
didn't come in from the other direction
because of the SLA performance of the
loopback ones that I that I took out
I shouldn't have tooken it out I forgot
that I did the health checks to the
loopback I am A ding-dong all right guys
I did that on purpose just to remind you
guys to always check twice alright so
once again what happened here I did not
think we needed the loopback rule
anymore I thought I was just using that
as an example it turns out that the
loopback was actually being used for the
health checks for the VPN tunnels but
only from the New York City side all
right so I kept the loopback rule at the
at the headquarters side so the tunnels
here never went down
I completely forgot that that is what I
was using for my my health checks I
forgot that I was actually using the
loopback interface oh man usually guys
by the way I did the loopback for the I
bgp example I usually use the internal
interface of that management ports so my
bad so watch this sorry guys ready just
like magic
and I did that all just as a learning
people not all right so let's go ahead
and yeah gosh man
alright so VPN loop I don't know health
check I don't have a clue
all right here we go so popping out of
the SD win going to the loopback right
so because the loop X is not originating
any traffic and you know what nothing is
actually gonna be on here but we could
be more granular I'm just being lazy
alright so there we go
gosh dang it guys I'm so sorry I wish
just I wish I said I did that on purpose
but guess what I did not
I just based it so here we are now watch
this oh you guys ready oh look what's
coming back to life yeah so alright guys
I'm sorry about that yeah yeah yeah we
know you're clearing up yeah yeah so
yeah that will take a while cuz it's all
ratioed out all right
this is a per packet kind of thing that
averages out this thing takes a little
bit longer so but believe it or not you
know yeah just like magic
what yeah so my bad guys so there you
guys go
we had one direction there now we're
already at almost 30 minutes so you know
what I'm gonna stop it right here and
and when we get back we're gonna go
ahead and do the the Texas site alright
so the one from here it's a headquarters
and then we'll also do the rules so
Texas can talk to New York City's
management interface too
alright guys sorry about that man ok
I'll see you guys in a little bit
take care
