# MPLS + Internet IPSEC SDWAN 設定 ### **設計概念：** HQ透過MPLS連線到各分點，同時針對某些較重要的分點透過MPLS+Internet 建立雙線備援，以防網路連線中斷。 #### **一、概念架構圖。** [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/image.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/image.png) #### **二、先設定好 MPLS、Internet Interface與路由。** HQ Interface設定: [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/eXximage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/eXximage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/m2Zimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/m2Zimage.png) HQ 路由: [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/Oj8image.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/Oj8image.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/BTlimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/BTlimage.png) Internet Interface與路由請比照MPLS設定，DR端亦然至於到其他分點的路由就照常設定MPLS的Static Route即可 #### **三、設定MPLS、Internet到DR的IPSEC VPN，使用自定義模式。** 以下僅用MPLS IPSEC示範，Internet IPSEC請自行比照設定 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/mpfimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/mpfimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/d5jimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/d5jimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/BgEimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/BgEimage.png) 兩條IPSEC建立好之後如下圖 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/8OUimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/8OUimage.png) #### **五、至Interface將VPN介面設定IP，兩邊的設備互相設定** [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/GKyimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/GKyimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/0Puimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/0Puimage.png) FortiOS 7.0版會出現錯誤，使用CLI設定 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/bJqimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/bJqimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/6HJimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/6HJimage.png) **注意 !! **此處設定IPSEC VPN Interface的 IP是用來作路由使用，上圖為HQ端設定，DR端請自行比照設定以此範例為例 HQ Internet IPSEC VPN Interface 為 10.1.1.14、DR Internet IPSEC VPN Interface 為 10.1.1.13 HQ MPLS IPSEC VPN Interface 為 10.1.1.10、DR MPLS IPSEC VPN Interface 為 10.1.1.9 #### **六、建立SDWAN Zone，將兩個IPSEC VPN Interface加進去Member** 完成HQ與DR的上述設定後並加完之後應該就可以正常將IPSECVPN Turnnel帶起來，此時互Ping對方的IPSEC VPN Interface IP應該就要會通了。 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/EvUimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/EvUimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/xIdimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/xIdimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/SN5image.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/SN5image.png) #### **七、設定SDWAN Rule** 下圖為HQ端SDWAN Rule，DR端請自行比照設定 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/3CRimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/3CRimage.png) #### **八、設定Firewall Policy、Static Route** [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/W7mimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/W7mimage.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/OL9image.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/OL9image.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/oE1image.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/oE1image.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/fv0image.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/fv0image.png) [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/07qimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/07qimage.png) 設定完成後Ping DR LAN Interface應該就要會通了。 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/I8Limage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/I8Limage.png) **注意 !! **一樣HQ、DR都要設定，否則也不會通 #### **九、設定SDWAN線路偵測機制，互相指對方的LAN Interface即可。** 透過兩條線路去跟對方的LAN Interface作Health Check，如果Check異常則將線路直接下線，用以確保資料傳輸的正確性。 [![image.png](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/scaled-1680-/vfIimage.png)](https://mdfk.goddamn.idv.tw/uploads/images/gallery/2024-06/vfIimage.png)