Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.0.0 SD-WAN Architecture for Enterprise
7.0.0
7.2.0
7.0.0

IPsec overlays

IPsec overlays

Each SD-WAN gateway acts as a dial-up IPsec server for the spokes, having a separate dial-up IPsec endpoint terminate on each underlay interface. Branches will typically build overlays over all available WAN ports to have multiple paths available to the gateway. However, it can also happen that some of the branches do not have a similar WAN transport. Hence, they will be able to connect only to a subset of the overlays.

When considering the IPsec overlay design between the branch locations and the gateway, it is important to determine how redundancy should occur between all available links.

Consider the following options:

  • One-to-one overlay mapping per underlay: in this design, each branch underlay terminates a new IPsec tunnel to one—and only one—gateway underlay. This is the most common overlay design, and simplifies our configuration, but also provides less redundancy than the subsequent full mesh.

  • Full mesh overlay mapping is generally not recommended for multi-datacenter deployments, unless there is a specific use case by which this may be required.
Previous
Next

IPsec overlays

Each SD-WAN gateway acts as a dial-up IPsec server for the spokes, having a separate dial-up IPsec endpoint terminate on each underlay interface. Branches will typically build overlays over all available WAN ports to have multiple paths available to the gateway. However, it can also happen that some of the branches do not have a similar WAN transport. Hence, they will be able to connect only to a subset of the overlays.

When considering the IPsec overlay design between the branch locations and the gateway, it is important to determine how redundancy should occur between all available links.

Consider the following options:

  • One-to-one overlay mapping per underlay: in this design, each branch underlay terminates a new IPsec tunnel to one—and only one—gateway underlay. This is the most common overlay design, and simplifies our configuration, but also provides less redundancy than the subsequent full mesh.

  • Full mesh overlay mapping is generally not recommended for multi-datacenter deployments, unless there is a specific use case by which this may be required.
Previous
Next