Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

IPsec overlay

IPsec overlay

Within each region, a standard ADVPN configuration is used to build a Hub-and-Spoke topology over each available underlay transport:

  • The Hubs act as Dial-Up IPsec endpoints for the Spokes in the region they serve. A separate Dial-Up IPsec endpoint is configured on each available underlay transport. Every such endpoint defines a point-to-multipoint overlay.

  • Every Spoke builds a separate static IPsec tunnel over each available underlay transport towards each of the Hubs. For example, in a Dual-Hub region with two underlay transports (for example, Internet and MPLS), every Spoke will build four static IPsec tunnels.

  • ADVPN is enabled on all Hubs and Spokes.

Certain variations are possible, depending on the chosen routing design. We will discuss them in the following sections.

In order to interconnect multiple regions, the Hubs build a Full Mesh topology between them over each available underlay transport:

  • All Hub-to-Hub tunnels are static IPsec tunnels. Every Hub builds a tunnel over each available underlay transport towards every other Hub.

  • Optionally, ADVPN can be enabled (in "forwarder" mode) to allow inter-regional shortcuts.

Previous
Next

IPsec overlay

Within each region, a standard ADVPN configuration is used to build a Hub-and-Spoke topology over each available underlay transport:

  • The Hubs act as Dial-Up IPsec endpoints for the Spokes in the region they serve. A separate Dial-Up IPsec endpoint is configured on each available underlay transport. Every such endpoint defines a point-to-multipoint overlay.

  • Every Spoke builds a separate static IPsec tunnel over each available underlay transport towards each of the Hubs. For example, in a Dual-Hub region with two underlay transports (for example, Internet and MPLS), every Spoke will build four static IPsec tunnels.

  • ADVPN is enabled on all Hubs and Spokes.

Certain variations are possible, depending on the chosen routing design. We will discuss them in the following sections.

In order to interconnect multiple regions, the Hubs build a Full Mesh topology between them over each available underlay transport:

  • All Hub-to-Hub tunnels are static IPsec tunnels. Every Hub builds a tunnel over each available underlay transport towards every other Hub.

  • Optionally, ADVPN can be enabled (in "forwarder" mode) to allow inter-regional shortcuts.

Previous
Next