12-05-2023 08:18 AM
Hello,
I have a customer that have a branch office in China. Before they was using a direct L2L VPN between the branch office and HQ, but a while ago the VPN stopped working and is no longer an option due to government restrictions (great firewall of China).
Instead, the customer purchased a SD-WAN solution and the connection between branch office and HQ is now working again, but we want to encrypt this traffic by building a new L2L VPN tunnel over the SD-WAN link.
The problem is that we need to tell the SD-WAN carrier exactly which networks we want them to route over the SD-WAN link and since the traffic will be encrypted, the carrier will not see the IP addresses so the tunnel will newer comes up.
I was thinking of using IPSec transport mode instead of tunnel mode because then the IP headers are not encrypted and the IP addresses should be visible, but I am not sure if this is supported on FTD devices, maybe by using flex VPN?
If tunnel mode is not supported on FTD devices, does anyone know how we can solve/workarround this issue?
Thanks
/Chess
12-10-2023 04:34 AM
Hi friend
SD-WAN is use IPsec or GRE'
Do you meaning the SD-WAN use GRE and you want to secure traffic but add IPSec over GRE of SD-WAN?
In end SD-WAN is like any WAN' so if you have FW then make IPSec use outside of FW's as source and destiantion of IPSec.
MHM
12-11-2023 11:05 PM
I think the problem is that the Chinese ISP need to know exactly which subnets to route over the SD-WAN. Since the firewall will encrypt the traffic when we add a IPSec tunnel, the ISP will not see the source/destination IP addresses and therefore the traffic will never reach the SD-WAN. At least that's my theory why it wont work. Transport mode might help here, but not sure.
Thanks
/Chess
12-11-2023 11:20 PM
FW-SDWAN(cedge/vedge)-ISP-SDWAN(cedge-vedge)-other site Router or FW
the SDWAN will advertise the prefix of link connect vedge/cedge to other site SDWAN vedge/cedge
you want to config IPsec between your FW to other router/FW in other Site?
if Yes then only use FW to SDWAN interface as Peer address of your IPsec.
in end the IPsec use this IP as outer IP head and this IP is reachable via SDWAN, the SDWAN then NAT or also encapsulate inside GRE or IPSec.
ISP only need to know the SDWAN outer head of it IPsec/GRE not need to know FW IP.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide