Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.0.0 SD-WAN Architecture for Enterprise
7.0.0
7.2.0
7.0.0

IPsec overlays

IPsec overlays

The SD-WAN gateway acts as a dial-up IPsec server for the spokes, having a separate dial-up IPsec endpoint terminated on each underlay interface. Branches will typically build overlays over all available wan ports to have multiple paths available to the gateway. However, it can also happen that some of the branches do not have a similar wan transport. Hence, they will be able to connect only to a subset of the overlays.

When considering the IPsec overlay design between the branch locations and the gateway, it is important to determine how redundancy should occur between all available links.

Consider the following options:

  • One-to-one overlay mapping per underlay: in this design, each branch underlay terminates a new IPsec tunnel to one—and only one—gateway underlay. This is the most common overlay design, and simplifies our configuration, but also provides less redundancy than the subsequent full mesh.
  • Full mesh overlay mapping: in this design, each branch underlay terminates a new IPsec tunnel to each WAN underlay on the gateway. This design provides more available paths for traffic to flow through during an outage, but can add complexities to our design. This design is only recommended if full-mesh redundancy is required.

Previous
Next

IPsec overlays

The SD-WAN gateway acts as a dial-up IPsec server for the spokes, having a separate dial-up IPsec endpoint terminated on each underlay interface. Branches will typically build overlays over all available wan ports to have multiple paths available to the gateway. However, it can also happen that some of the branches do not have a similar wan transport. Hence, they will be able to connect only to a subset of the overlays.

When considering the IPsec overlay design between the branch locations and the gateway, it is important to determine how redundancy should occur between all available links.

Consider the following options:

  • One-to-one overlay mapping per underlay: in this design, each branch underlay terminates a new IPsec tunnel to one—and only one—gateway underlay. This is the most common overlay design, and simplifies our configuration, but also provides less redundancy than the subsequent full mesh.
  • Full mesh overlay mapping: in this design, each branch underlay terminates a new IPsec tunnel to each WAN underlay on the gateway. This design provides more available paths for traffic to flow through during an outage, but can add complexities to our design. This design is only recommended if full-mesh redundancy is required.

Previous
Next