SD-WAN Route VPN Traffic - Gateway Setup

Hi juergenb52: Information is a bit complex here to understand your requirements but let me try to reply here based on my understanding from the above information.

For VPN tunnel ( PBVPN or RBVPN) in terms of gateway settings, we are defining the remote gateway during the tunnel creation itself which will forward ESP packets from the mentioned local listening interface from this XG to the remote gateway address defined in the tunnel settings to remote VPN gateway device.

Thanks,

i know this work with VPN.

We have two locations (HO and BO), both have a VPN Tunnel to the hostingsolution.
All is fine, each location can connect to the HS.

Now the primary ISP in HO fails and i want to connect over the BO to the HS?

Currently i have VDSL Modem and a RED15 in HO that connects to the BO.
The Read is shown as a Network on Port8 of XGS2100 with a IP (192.168.200.1/24) given from BO.
Bo has 192.168.10.0/24 local Subnet.

How would i create a SD-WAN Policy that routes traffic direct to the HS over the RED to the BO?
The BO should route the traffic over the VPN Tunnel now...

Would a support case be useful?

Hi juergenb52: Not tested or not come across such setup, If you want from HO side all traffic should go to BO then use RED "Standard/unified mode", but in this case, BO firewall will act as in DHCP server and HO LAN machine should accept request from it.

If you want REDOperation mode with configured "Standard/split" so Internet traffic from HO to go VDSL and you may define BO and HS network in the Split network on BO XG in RED Interface settings. In this case, as well BO firewall will act as in the DHCP server and the HO LAN machine should accept request from it.




Due to this BO and HS-related network traffic from HO end machines which is behind RED will be routed over the RED tunnel.

After this BO should be aware that HO traffic to HS should get forwarded to HS location over VPN.For this one,

If it is PBVPN then you are required to define HO network as in local network in the respected tunnel on BO XG which has been configured between BO and HS, a similar way on HS end you required to add the HO network in the remote LAN network.

But if it is RBVPN and you are managing the routing with SD-WAN rule, in that case, to have connectivity between HO and HS  via BO in already existing  SD-WAN rule which you have already configured for BO to HS network, ensure HO network is added to forward traffic to HS location in that same SD-WAN rule. Also in the existing  SD-WAN rule on BO under Traffic selector settings if  Incoming Interface has been defined then for a while select it to any. 

The above settings and required rules from RED zone (whichever zone has been configured) to VPN and VPN to RED zone should be present on BO. With this check, the connectivity and based on TCPDUMP and drop packet observation check the status further.

Note: The above setup has been guided by considering the fact that the whole HO LAN in the DHCP mode will get the leased IP from BO over the RED. if there is any static IP assignment on HO LAN for any machine you may need to change it to DHCP else for that specific machine connectivity to HS via BO may not work.

Hi juergenb52: Not tested or not come across such setup, If you want from HO side all traffic should go to BO then use RED "Standard/unified mode", but in this case, BO firewall will act as in DHCP server and HO LAN machine should accept request from it.

If you want REDOperation mode with configured "Standard/split" so Internet traffic from HO to go VDSL and you may define BO and HS network in the Split network on BO XG in RED Interface settings. In this case, as well BO firewall will act as in the DHCP server and the HO LAN machine should accept request from it.




Due to this BO and HS-related network traffic from HO end machines which is behind RED will be routed over the RED tunnel.

After this BO should be aware that HO traffic to HS should get forwarded to HS location over VPN.For this one,

If it is PBVPN then you are required to define HO network as in local network in the respected tunnel on BO XG which has been configured between BO and HS, a similar way on HS end you required to add the HO network in the remote LAN network.

But if it is RBVPN and you are managing the routing with SD-WAN rule, in that case, to have connectivity between HO and HS  via BO in already existing  SD-WAN rule which you have already configured for BO to HS network, ensure HO network is added to forward traffic to HS location in that same SD-WAN rule. Also in the existing  SD-WAN rule on BO under Traffic selector settings if  Incoming Interface has been defined then for a while select it to any. 

The above settings and required rules from RED zone (whichever zone has been configured) to VPN and VPN to RED zone should be present on BO. With this check, the connectivity and based on TCPDUMP and drop packet observation check the status further.

Note: The above setup has been guided by considering the fact that the whole HO LAN in the DHCP mode will get the leased IP from BO over the RED. if there is any static IP assignment on HO LAN for any machine you may need to change it to DHCP else for that specific machine connectivity to HS via BO may not work.

Thanks, 

i will try a different approach.

Instead of a HO-BO Tunnel with RED i will get a second ISP Uplink in HO. 
With two ISP Uplinks i can create a VPN Failover Szenario (should be easy) to the Hosting Solution and to Brach Office.