Fortinet black logo

New Features

Fortinet recommended default IPSec and BGP templates for SD-WAN overlay setup 7.0.3

Copy Link
Copy Doc ID c54fdd80-4935-11eb-b9ad-00505692583a:15138
Download PDF

Fortinet recommended default IPSec and BGP templates for SD-WAN overlay setup 7.0.3

FortiManager 7.0.3 introduces new default BGP and IPsec templates with recommendations that are designed to help you configure SD-WAN overlays in a hub and spoke topology. The templates are based on Fortinet's best practice recommendations.

Overlays generally consist of a VPN portion and a dynamic routing portion. IPsec templates configure the network connectivity, while BGP templates configure the dynamic routing between all locations. The hub acts as a dialup server that accepts connections from dialup clients (SD-WAN branch device). The hub uses the mode-cfg option to automatically assign IP addresses from the user defined network space to connecting branch devices. BGP neighbor configuration and neighbor range automatically accept BGP connections from the IP range configured with the mode-cfg option.

Each overlay network requires its unique network space and network-id defined in the IPsec template. The last two IP addresses of the network space should be reserved for the hub's IP address in the network and another for administrative use. For example, in a 10.10.10.0/24 overlay network:

  • Spokes utilize 10.10.10.1 - 10.10.10.252
  • Hub reserves 10.10.10.253
  • Last usable is reserved for the remote IP section of the hub's interface: 10.10.10.254

Keep these guidelines in mind when configuring templates for SD-WAN overlays.

In the FortiManager GUI, you can access the new templates by going to Device Manager > Provisioning Templates. You must activate the templates before you can use them. Once activated, a popup pane is displayed, prompting you to enter details specific to your environment. Although the templates are designed for branch and hub devices, you can modify the templates as necessary after you create them.

This topic contains the following sections:

Using recommended BGP templates

FortiManager includes the following BGP templates of recommendations to help you configure SD-WAN overlays:

Template Name

Description

BRANCH_BGP_Recommended Fortinet's recommended BGP template for branch device configurations.
HUB_BGP_Recommended Fortinet's recommended BGP template for hub device configurations.

You must activate the recommended templates to use them. After you created a BGP template for your environment, you can edit, delete, or clone the BGP template.

Meta fields can be used with a recommended template's required fields to ensure that fields are unique when the template is assigned to multiple devices.

This section describes how to:

Activating and creating a hub BGP template

This section describes how to activate and create a BGP template for a hub device. The HUB_BGP_Recommended template guides you to complete the required settings for your environment.

To activate and create a recommended BGP hub template:
  1. Go to Device Manager > Provisioning Templates > BGP Templates.

    The following recommended BGP templates are available:

    • HUB_BGP_Recommended
    • BRANCH_BGP_Recommended

  2. Right-click the HUB_BGP_Recommended template, and select Activate.

    The Activate HUB_BGP_Recommended pane is displayed.

  3. Complete the options, and click OK to create the template.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Local AS

    Enter the local autonomous system (AS) number.

    Router ID

    Enter the router ID. The router ID is the unique IP address used to identify the hub device.

    Neighbor

    Enter the neighbor IP and Remote AS. The neighbor IP is the IP address used while peering as a neighbor.

    Neighbor Group

    Enter the neighbor group's Remote AS.

    Neighbor Range

    Enter the neighbor range Prefix. This is the network range that branch devices use to connect to the hub.

    Networks

    Enter the networks Prefix.

    The following example uses meta fields in combination with the template.

Activating and creating a branch BGP template

This section describes how to activate and create a BGP template for a branch device. The BRANCH_BGP_Recommended template guides you to complete the required settings for your environment.

To activate and create a branch BGP template:
  1. Go to Device Manager > Provisioning Templates > BGP Templates.

    The following recommended BGP templates are available:

    • HUB_BGP_Recommended
    • BRANCH_BGP_Recommended

  2. Right-click the BRANCH_BGP_Recommended template, and select Activate.

  3. Complete the options, and click OK to create the template.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Local AS

    Enter the branch's local autonomous system (AS) number.

    Router ID

    Enter the router ID. The router ID is the unique IP address used to identify the branch device.

    Neighbor

    Enter the neighbor IP and Remote AS.

    Networks

    Enter the networks Prefix.

    The following example uses meta fields in combination with the template.

Using recommended IPsec templates

FortiManager includes the following recommended IPsec templates to help you configure SD-WAN overlays:

Template Name

Description

HUB_IPSec_Recommended Fortinet's recommended template for hub IPSec tunnels.
Branch_IPSec_Recommended Fortinet's recommended template for IPSec branch device configurations.
IPSec_Fortinet_Recommended Fortinet's recommended template for IPSec configurations. This template is not used for SD-WAN configuration.

Recommended IPsec templates come preconfigured with best practice recommendations for use within your environment. These templates can be used to simplify deployment of SD-WAN interconnected sites.

You must activate the recommended templates to use them. After you create an IPsec template for your environment, you can edit, delete, or clone the template.

Meta fields can be used with a recommended template's required fields to ensure that fields are unique when the template is assigned to multiple devices.

This section describes how to:

Activating and creating a branch IPsec template

This section describes how to activate and create an IPsec template for a branch device. The Branch_IPSec_Recommended template guides you to complete the required settings for your environment.

To activate and create a branch IPsec template:
  1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.

    The following recommended IPsec templates are available:

    • Branch_IPSec_Recommended
    • HUB_IPSec_Recommended
    • IPSec_Fortinet_Recommended
  2. Right-click the Branch_IPSec_Recommended template, and click Activate.

    A pane is displayed where you can enter details specific to your environment.

  3. Complete the options, and click OK to create the template.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Outgoing Interface

    Enter the outgoing interface. This is the physical port from which the tunnel connection is initiated.

    Local IDEnter a Local ID. This is used to identify devices connecting to the hub.
    Remote GatewayEnter the remote gateway.
    Pre-shared KeyEnter the pre-shared key.

    The following example uses meta fields in combination with the template.

    A new template is created based on the recommended template you selected and the configuration details provided.

Activating and creating a hub IPsec template

This section describes how to activate and create an IPsec template for a hub device. The HUB_IPSec_Recommended template guides you to complete the required settings for your environment.

To activate and create a hub IPsec template:
  1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.

    The following recommended IPsec templates are available:

    • Branch_IPSec_Recommended
    • HUB_IPSec_Recommended
    • IPSec_Fortinet_Recommended
  2. Right-click the HUB_IPSec_Recommended template, and click Activate.

    A dialog will appear where you can enter configuration details specific to your environment.

  3. Complete the options, and click OK.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Outgoing InterfaceEnter the outgoing interface. This is the physical port that the branch devices are connecting in on.
    IPv4 Start IP

    Enter the first usable IP address in the range.

    IPv4 End IP

    Enter the last usable IP address in the range.

    IPv4 NetmaskEnter the IPv4 netmask.
    Pre-shared KeyEnter the pre-shared key.

    The following example uses meta fields in combination with the template.

Fortinet recommended default IPSec and BGP templates for SD-WAN overlay setup 7.0.3

FortiManager 7.0.3 introduces new default BGP and IPsec templates with recommendations that are designed to help you configure SD-WAN overlays in a hub and spoke topology. The templates are based on Fortinet's best practice recommendations.

Overlays generally consist of a VPN portion and a dynamic routing portion. IPsec templates configure the network connectivity, while BGP templates configure the dynamic routing between all locations. The hub acts as a dialup server that accepts connections from dialup clients (SD-WAN branch device). The hub uses the mode-cfg option to automatically assign IP addresses from the user defined network space to connecting branch devices. BGP neighbor configuration and neighbor range automatically accept BGP connections from the IP range configured with the mode-cfg option.

Each overlay network requires its unique network space and network-id defined in the IPsec template. The last two IP addresses of the network space should be reserved for the hub's IP address in the network and another for administrative use. For example, in a 10.10.10.0/24 overlay network:

  • Spokes utilize 10.10.10.1 - 10.10.10.252
  • Hub reserves 10.10.10.253
  • Last usable is reserved for the remote IP section of the hub's interface: 10.10.10.254

Keep these guidelines in mind when configuring templates for SD-WAN overlays.

In the FortiManager GUI, you can access the new templates by going to Device Manager > Provisioning Templates. You must activate the templates before you can use them. Once activated, a popup pane is displayed, prompting you to enter details specific to your environment. Although the templates are designed for branch and hub devices, you can modify the templates as necessary after you create them.

This topic contains the following sections:

Using recommended BGP templates

FortiManager includes the following BGP templates of recommendations to help you configure SD-WAN overlays:

Template Name

Description

BRANCH_BGP_Recommended Fortinet's recommended BGP template for branch device configurations.
HUB_BGP_Recommended Fortinet's recommended BGP template for hub device configurations.

You must activate the recommended templates to use them. After you created a BGP template for your environment, you can edit, delete, or clone the BGP template.

Meta fields can be used with a recommended template's required fields to ensure that fields are unique when the template is assigned to multiple devices.

This section describes how to:

Activating and creating a hub BGP template

This section describes how to activate and create a BGP template for a hub device. The HUB_BGP_Recommended template guides you to complete the required settings for your environment.

To activate and create a recommended BGP hub template:
  1. Go to Device Manager > Provisioning Templates > BGP Templates.

    The following recommended BGP templates are available:

    • HUB_BGP_Recommended
    • BRANCH_BGP_Recommended

  2. Right-click the HUB_BGP_Recommended template, and select Activate.

    The Activate HUB_BGP_Recommended pane is displayed.

  3. Complete the options, and click OK to create the template.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Local AS

    Enter the local autonomous system (AS) number.

    Router ID

    Enter the router ID. The router ID is the unique IP address used to identify the hub device.

    Neighbor

    Enter the neighbor IP and Remote AS. The neighbor IP is the IP address used while peering as a neighbor.

    Neighbor Group

    Enter the neighbor group's Remote AS.

    Neighbor Range

    Enter the neighbor range Prefix. This is the network range that branch devices use to connect to the hub.

    Networks

    Enter the networks Prefix.

    The following example uses meta fields in combination with the template.

Activating and creating a branch BGP template

This section describes how to activate and create a BGP template for a branch device. The BRANCH_BGP_Recommended template guides you to complete the required settings for your environment.

To activate and create a branch BGP template:
  1. Go to Device Manager > Provisioning Templates > BGP Templates.

    The following recommended BGP templates are available:

    • HUB_BGP_Recommended
    • BRANCH_BGP_Recommended

  2. Right-click the BRANCH_BGP_Recommended template, and select Activate.

  3. Complete the options, and click OK to create the template.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Local AS

    Enter the branch's local autonomous system (AS) number.

    Router ID

    Enter the router ID. The router ID is the unique IP address used to identify the branch device.

    Neighbor

    Enter the neighbor IP and Remote AS.

    Networks

    Enter the networks Prefix.

    The following example uses meta fields in combination with the template.

Using recommended IPsec templates

FortiManager includes the following recommended IPsec templates to help you configure SD-WAN overlays:

Template Name

Description

HUB_IPSec_Recommended Fortinet's recommended template for hub IPSec tunnels.
Branch_IPSec_Recommended Fortinet's recommended template for IPSec branch device configurations.
IPSec_Fortinet_Recommended Fortinet's recommended template for IPSec configurations. This template is not used for SD-WAN configuration.

Recommended IPsec templates come preconfigured with best practice recommendations for use within your environment. These templates can be used to simplify deployment of SD-WAN interconnected sites.

You must activate the recommended templates to use them. After you create an IPsec template for your environment, you can edit, delete, or clone the template.

Meta fields can be used with a recommended template's required fields to ensure that fields are unique when the template is assigned to multiple devices.

This section describes how to:

Activating and creating a branch IPsec template

This section describes how to activate and create an IPsec template for a branch device. The Branch_IPSec_Recommended template guides you to complete the required settings for your environment.

To activate and create a branch IPsec template:
  1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.

    The following recommended IPsec templates are available:

    • Branch_IPSec_Recommended
    • HUB_IPSec_Recommended
    • IPSec_Fortinet_Recommended
  2. Right-click the Branch_IPSec_Recommended template, and click Activate.

    A pane is displayed where you can enter details specific to your environment.

  3. Complete the options, and click OK to create the template.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Outgoing Interface

    Enter the outgoing interface. This is the physical port from which the tunnel connection is initiated.

    Local IDEnter a Local ID. This is used to identify devices connecting to the hub.
    Remote GatewayEnter the remote gateway.
    Pre-shared KeyEnter the pre-shared key.

    The following example uses meta fields in combination with the template.

    A new template is created based on the recommended template you selected and the configuration details provided.

Activating and creating a hub IPsec template

This section describes how to activate and create an IPsec template for a hub device. The HUB_IPSec_Recommended template guides you to complete the required settings for your environment.

To activate and create a hub IPsec template:
  1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.

    The following recommended IPsec templates are available:

    • Branch_IPSec_Recommended
    • HUB_IPSec_Recommended
    • IPSec_Fortinet_Recommended
  2. Right-click the HUB_IPSec_Recommended template, and click Activate.

    A dialog will appear where you can enter configuration details specific to your environment.

  3. Complete the options, and click OK.
    Template NameEnter a name for the template.

    Enable ADVPN

    Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).

    Outgoing InterfaceEnter the outgoing interface. This is the physical port that the branch devices are connecting in on.
    IPv4 Start IP

    Enter the first usable IP address in the range.

    IPv4 End IP

    Enter the last usable IP address in the range.

    IPv4 NetmaskEnter the IPv4 netmask.
    Pre-shared KeyEnter the pre-shared key.

    The following example uses meta fields in combination with the template.