FortiGate SD-WAN configuration with Acreto VPN

Before you start

Overview

SD-WAN solutions transform an organisation’s capabilities by leveraging the corporate WAN as well as multi-cloud connectivity to deliver high-speed application performance at the WAN Edge of branch sites. In this article , we will create dual tunnels to Acreto’s Ecosystem and use SD-WAN feature to create a robust failproof solution FortiGate - VPN list

Prerequisites

  1. FortiGate installation
  2. Ecosystem set up with proper security policies

How-To

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

Task 1: Read IPsec Gateway Values Required for FortiGate Configuration

To proceed with the FortiGate configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Animation how to get required values from Gateway [▶]

Task 2: SD-WAN Pre-requisite - Enable Central NAT on Fortigate

In case, setup requires NAT on WAN interface, we recommend central NAT to be enabled on ForitGate device to use SD-WAN effectively.

We need to disable NAT on traffic sent across Acreto tunnels while keeping the NAT enabled for the traffic going to ISP. For this scenario, its easy to implement the NAT rules in “Central NAT” setup compare to policy NAT.

  1. To Enable central NAT on FortiGate. Login to FortiGate CLI and run following commands
config system setting 
set central-nat enable
end
  1. Please logout and login again to see central NAT menu.

Task 3: Configure primary tunnel on ForitGate with Acreto primary EcoSystem

  1. In ForitGate, go to VPN > IPsec Tunnels. From Create New click on IPsec Tunnel FortiGate - VPN list
  2. In next Window. Give primary tunnel name and click on Custom and click on Next FortiGate - VPN list
  3. Configure follwoing VPN setting :
  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: Primary EcoSystem Gateway
  • Interface: Select WAN Interface
  • Mode Config: Enable
  • DPD Retry interval: 30 FortiGate - VPN list
  1. Expand Advance Option and configure with following values :
  • Add Route: Disabled
  • Authentication Method: Pre-shared Key
  • Pre-shared Key: enter pre-shared key
  • IKE Verion: 2 FortiGate - VPN list
  1. In Phase1 Proposal. Delete all proposal except two as below:
  • Encryption - AES 128 Authentication - SHA256
  • Encryption - AES 128 Authentication - SHA512
  • DH Group - 15 , 14, 2
  • Key Lifetime: 10800
  • Local ID: enter the peer id FortiGate - VPN list
  • In phase2 setting, please enter below:
  • Encryption - AES 128 Authentication - SHA256
  • Encryption - AES 128 Authentication - SHA512
  • PFS: Enable
  • DH Group - 15 , 14, 2
  • Auto Keep Alive: Enable FortiGate - VPN list
  1. Click OK to save VPN setting.

Task 4. Configure Secondary Tunnel on ForitGate with Acreto Secondary EcoSystem

  1. Repeat the above steps for creation of secondary tunnel. We will use Acreto-ECO-2 as the name of secondary tunnel in this article.

Task 5. Configure SD-WAN and Add Members

  1. Go To Network » SD-WAN Zones. From “Create New” drop down menu, select SD-WAN member. FortiGate - VPN list
  2. In next window. add primary Acreto VPN as SD-WAN member details as below:
  • Interface: Acreto-ECO-1 (Primary Acreto VPN)
  • SD-WAN Zone: virtual-wan-link
  • Gateway: 0.0.0.0
  • Cost: 0
  1. Click OK to Save. FortiGate - VPN list
  2. Repeat the step to add secondary Acreto VPN ad SD-WAN member. Go To Network » SD-WAN Zones. From “Create New” drop down menu, select SD-WAN member. FortiGate - VPN list
  3. In next window. add secondary Acreto VPN as SD-WAN member details as below:
  • Interface: Acreto-ECO-2 (Secondary Acreto VPN)
  • SD-WAN Zone: virtual-wan-link
  • Gateway: 0.0.0.0
  • Cost: 0
  1. Click OK to Save. FortiGate - VPN list

Task 6. Add WAN/ISP interface as the member of SD-WAN zone.

  1. Go To Network » SD-WAN Zones. From “Create New” drop down menu, select SD-WAN member. FortiGate - VPN list
  2. In next window. add WAN interface as SD-WAN member details as below:
  • Interface: WAN (ISP interface)
  • SD-WAN Zone: virtual-wan-link
  • Gateway: 192.168.128.1 (ISP Gateway)
  • Cost: 0
  1. Click OK to Save. FortiGate - VPN list

Task 7. Configure Static Route to Send Acreto Peer IPs Directly to ISP.

  1. Add the route for Primary Acreto peer IP
  2. Go to Networks > Static route. Click on Create New . FortiGate - VPN list
  3. In next window, configure static route as below:
  • Destination: 104.193.146.169/32
  • Gateway Address: 192.168.128.1 (ISP Gateway)
  • Interface: WAN
  1. Click “OK” to save. FortiGate - VPN list
  2. Repeat the previous step to add the route for secondary Acreto peer IP
  3. Click on Create New .
  4. In next window, configure static route as below:
  • Destination: 104.193.146.116/32
  • Gateway Address: 192.168.128.1 (ISP Gateway)
  • Interface: WAN
  1. Click OK to save. FortiGate - VPN list

Task 8. Add Firewall Policy for the traffic

  1. Configure Policy to Allow Traffic From LAN to SD-WAN zone.
  2. Go to Policy & Objects > Firewall Policy. Click on Create New. FortiGate - VPN list
  3. In Next Window, configure policy setting as below.
  • Name: Give name to primary policy
  • Incoming Interface: LAN
  • Outgoing Interface: virtual-wan-link
  • Source: LAN Address
  • Destination: all
  • Schedule: Always
  • Service: All
  • Action: Accept
  • Logging: As needed
  1. Click on save FortiGate - VPN list

Task 9. Configure Central NAT

Configure NAT rule to disable NAT on traffic to Acreto VPNs.

  1. Go to Policy & Objects > Central SNAT. Click on Create New to create new. FortiGate - VPN list
  2. In next window, configure NAT rule for Acreto VPNs as below.
  • Incoming Interface: LAN
  • Outgoing Interface: Acreto-ECO-1 and Acreto-ECO-2
  • Source Address: LAN Address/Subnet
  • Destination Address: all
  • NAT: Disable
  • Enable this policy: Enable
  1. Click on OK to save. FortiGate - VPN list
  2. Configure NAT rule to enable NAT on the traffic to ISP.
  3. Go to Policy & Objects > Central SNAT. Click on Create New to create new. FortiGate - VPN list
  4. In next window, configure NAT rule as below:
  • Incoming Interface: LAN
  • Outgoing Interface: WAN
  • Source Address: LAN Address/Subnet
  • Destination Address: all
  • NAT: Enable
  • IP Pool Configuration: Use Outgoing Interface Address / or as needed
  • Protocol: Any
  • Enable this policy: Enable
  1. Click on OK to save. FortiGate - VPN list

Task 10. Configure SD-WAN Rules

  1. Configure SD-WAN rule to send LAN traffic to Acreto VPNs.
  2. Go to Network > SD-WAN Rules. Click on Create New. FortiGate - VPN list
  3. Configure rule as below:
  • Name: Traffic_to_Acreto
  • Source Address: Select LAN address/subnet
  • Destination Address: all
  • Strategy: Manual
  • Interface Prefernece: Acreto-ECO-1 and Acreto-ECO-2
  • Status: Enable
  1. Click OK to save. FortiGate - VPN list
  2. Add another rule to send all other traffic directly to WAN/ISP.
  3. Go to Network > SD-WAN Rules. Click on Create New. FortiGate - VPN list
  4. Configure rule as below:
  • Name: Traffic_to_WAN
  • Source Address: Select LAN address/subnet
  • Destination Address: all
  • Strategy: Manual
  • Interface Prefernece: WAN
  • Status: Enable
  • Click OK to save. FortiGate - VPN list

Task 11. Add Default Route to SD-WAN

  1. Go to Network > Static Route. Click on Create New. FortiGate - VPN list
  2. In next window configure static route as below:
  • Destination: 0.0.0.0/0
  • Interface: SD-WAN
  1. Click OK to save. FortiGate - VPN list

After SD-WAN configuration, some of the services may affected which are initiated by FortiGate itself such as fortiguard, dns, radius etc. Refer Fortinet’s KB article to trobleshoot the same.

Summary

[…]

Next page: Fortinet FortiGate Dual VPN setup