18. Creating VPN and health check on 2nd Remote site

hey guys welcome back to another video

my name is Devin Adams on the foreign

instructor here in Tempe Arizona and I

record these videos for the people who

take my class and in the last video we

created a VPN tunnel using the sd1

interface on the FortiGate six to three

and then we also created a firewall

policy rule to ping a loopback interface

that we could test pretty much the

quality of the VPN tunnel now a lot of

this is gonna make more sense the more

tunnels that we add but I thought to

myself you know what's at least for

tonight's let's go ahead and connect

over our Texas FortiGate here so we did

New York City last time now we're going

to take this mean win one here and

connected to the main Windex in here in

our additional forty gates guess what

guys it's identical to what we to what

we just did in the last video but you

know like I said I don't I don't do in a

YouTube magic I I tried to show every

step on the way and yeah anyways so

before I begin I was drawing the VPN

tunnels right and I just realized you

know what this is gonna get way too

messy way too fast so I'm probably gonna

think of a different solution here maybe

even just sketch something for myself

but basically what we're gonna be doing

here is using 10 1031 and 1032 for our

Texas for two gates and I I'm just using

this naming convention as in like you

know the one here the 10 there the 3

here the 30 here just just to kind of

make some sense of the IP address game

whatever so I'll be quiet you can always

tell when I like to start recording

these later too

so sorry guys I want to always get a

couple of these out of the way so let's

go ahead and build our first tunnel from

our headquarters for two gates so and

once again if you didn't see this before

we did it in the past video and our art

in New York for two gate there so

alright and I cannot remember any of my

passwords here we go

alright let's login to the FortiGate

here we are ok so just like before the

very first thing we're gonna want to do

is go to our our network our SD Wham ok

and we did that the last time but now

we're gonna say create new alright and

this is going to say give me a brand new

VPN tunnel and we're gonna say to Texas

alright and the IP address is 110 207 1

so these are make-believe public IP

addresses so

10200 dot 7.7 dot 1 alright and the

outgoing interface is gonna be our port

1 ok super secret password

bringing it creates and then we're not

gonna do anything until we put a IP

address on that on that interface so

let's go ahead and do that let's go to

interfaces let's open up our SD win

let's open up our port 1 and we should

have our our Texas here we are and here

it's gonna be 10.10 30.1 going into 1010

30.2 and I kind of explained this before

how normally there's no IP addresses on

VPN tunnels but we're doing it here just

to add it to the SD one so I will even

make this ping Bowl if we ever need it

for testing reasons so alright now that

it has an IP address we should be able

to even though it like disappeared on me

here we go I'll probably cuz it's not up

let's go let's go back and actually add

it to the SD way now alright so there we

go to Texas and now we actually have an

IP address that we can pass it off to

alright sweet

let's go ahead and do the other side and

hopefully it won't lag like it did

before that was horrible by the way I'm

sorry guys the last video was like

pulling teeth here alright I think it

just needs to kind of like wake up all

right one of these days come on buddy

I'm trying guys all right here we go

so this is our PC over in in Texas and I

did this last time in the New York one

now I just haven't used these little web

term boxes in a few days and I think

it's just waking itself up I'm not too

sure so we'll let it we'll let it login

in fact I'll just oh there it kind of

goes I'm just gonna hit pause here and

count to 30 or something yeah I have no

idea what I took so long but here we go

so we're over here in Texas let's just

do the opposite so let's go to network

let's go to our SD win alright let's go

ahead and do new ok we're gonna say give

me a new VPN tunnel alright so this is

gonna say to HQ I don't know why I'm

shouting at everyone my caps locks must

be on here we go and it's gonna be 10

200 1.1 and the outgoing interface is

gonna be that that AT&T one so I'm just

making all these up of course alright

make sure the passwords match up and

that should create our phase 1 and phase

2 for us so here we'll hit cancel all

right and that's because we need to go

put in that IP address so let's go to

our interfaces let's expand our SD win

cluster down here alright there we go

okay so here we'll say let's see here

yep

10:00 10:30 to 10:00 10:30 1 make a ping

a bowl

oh I forgot 2/32 mob by ad head okay

noise okay cool cool and now let's go

add it back to the SD win and then I'll

pass it off there we go

alright so not too bad just make sure

that you hit the apply okay I made that

I made that mistake last time I didn't

hit the reply button so so technically

you know that is that is it so we made

the tunnels now our second goal here was

to create kind of like a health check

rights and that's why we made those

loopback interfaces beforehand so

there's a couple of ways that you could

do this now I probably could have made

life a whole lot simpler by creating

like a own for my loopback interfaces so

I didn't have to write redundant

firewall policies I didn't even think

about that so obviously this last moment

so but that's okay but let's go ahead

and make the firewall policy it'll be a

good practice right that that you know

repetition is the mother of all learning

kind of thing so here we go I'm gonna

say create new and I'm just gonna say

loopback health loopback health check I

don't know I'm not feeling very creative

anyways it's gonna pop out of the SD win

and it's gonna go to the loopback and

you know what honestly I don't care I

don't care

there's nothing but a logical interface

and here I'm just gonna allow ICMP

alright don't need that okay

not too bad all right and what's nice

about this guy's is that if you remember

we already did that rule in our our HQ

so if we head back over to the to the

data center here to the headquarters and

we go to our policy and objects and we

go to our IP 4 policy our loop back here

should also include the Texas office

also we just have to go ahead and add

that in our SD win rules so pretty

pretty slick huh and that was kind of

the last step there right so if we come

over here to our system know I lied RS

Dewayne rules okay now if you guys

remember the last video we made this

pretty generic one right that went out

to New York okay so I'm actually going

to click this and I'm gonna put a little

underscore in Y C and the reason why is

because when we start getting redundant

tunnels right to the same location

they're gonna be added into the same

rule but here I'm gonna go ahead and I

am going to make a new rule but this one

is gonna say VPN health check to Texas

all right and I promise you this should

make more sense down the road okay and

you know what there might be a better

way to accomplish this all right but I

am gonna have to think of it later

so anyways once again we can just use

that loopback interface okay but this

time we're going to manually pick the

Texas interface and like I said that

should make more sense once we actually

get multiple tunnels to the same

location all right so let's go ahead and

go to our performance s LA's all right

we had one that said VP and check-in TC

she said New York City

well let's go ahead and create a new one

and we're gonna say VPN health check to

Texas all right

and we're gonna be pinging that

interface to Texas yep

not too bad okay and as you can see it's

it's making it alright so then I can go

ahead and hit refresh here and you can

see that it is making it through the VPN

tunnel and it is keeping an eye out on

the quality of that of that VPN tunnel

so once again this will make more sense

when we start adding redundant tunnels

to the same location all right because

we're gonna tell the SD when to always

pick the best one all right so here we

go let's go ahead and do it on our New

York City side okay so here we go New

York City side my Texas I'd say I'm all

over the place alright so we had our we

had a rule but let's go ahead and make

the SD weigh-in rule alright and this

does take care of the routing part of it

too so here we go we're gonna say create

new we're gonna say VPN to HQ and this

is just gonna be for the health check

we'll have to write some some rules

later on now there isn't really a

loopback address that we made in this

site yet so let's go ahead and create it

alright here we go two one seven zero

zero I always do that I always put it up

there instead of down there Oh guys I'm

so sorry

here we go and I'll just have to call

this off loopback or something all right

don't forget our slash 16 so it just

takes a look at those first two okay

here we go

all right and we'll just manually hand

it

to our HQ tunnel alright now don't

forget these rules are top-down so you

got to make sure that happens

all right and then let's go ahead and

ping through it for for a health check

okay so we'll say create new will say to

H Q VPN health check I don't know I

messed up the naming conventions alright

guys

alright so ten to seven zero one and the

participants because we only got one

right now it's gonna be that guy right

there okay and then we can see here all

right we will be able to keep an eye out

on our health statistics okay so at this

point we have sorry guys that was kind

of all over the place so at this point

we now have two VPN tunnels all right

going from our headquarters to New York

City and our headquarters to our Texas

office alright and we're also pinging

through that tunnel to keep an eye out

on the quality of the VPN itself alright

that's about as far as we've gotten and

like I said in a couple videos ago

taking this slow step at a time

and you know what I'm starting to think

there might even be a better way to do

this

design-wise I'm just drawing a blank at

the moment so but uh in the next video

what we're gonna do is add two more

additional tunnels

alright using our two differents LAN

connections for our redundancy so and

then we can point it down the same way

and we can get our health checks going

for both of the tunnels and telling its

hey you know what's always pick the VPN

tunnel that's that's the best all right

and we'll we'll be able to test that so

alright guys so sorry that was kind of

all over the place

and

I'll see you guys soon so