English English en

NSM - How to configure SDWAN for Hub and Spoke VPN

09/05/2024 0 People found this article helpful 31,684 Views

Description

This Knowledgebase Article provides step by step illustration on how to configure SDWAN for Hub and Spoke VPN setup.

Two Templates will be created. One for Hub firewall and the other for spoke firewalls.

Note:

1. variables can be configured on the fly during the process, or can be done prior to the the steps;

2. assuming X1 Wan interface and local networks have already configured, but X3 WAN interface not configured yet;

3. IKE Shared Secret will be hidden during variable resolution by 'sometext'.

Part 1: Template for Spoke firewalls

Step 1: gather basic information for setting up SDWAN:

Step 2: start creating a new template for spoke_nodes_sdwan_config:

Step 3: configure X3 (WAN) interface, assuming it was not configured yet:

Step 4: configure VPN Policy - spoke_to_hub_from_X1:

Step 5: configure VPN Policy Proposals:

Step 6: configure VPN Policy Advanced settings:

Step 7: completed first VPN policy :

Step 8: configure second VPN Policy - spoke_to_hub_from_X3:

Step 9: configure VPN Policy Proposals as Step 5;

Step 10: configure VPN Policy Advanced settings:

Step 11: completed second VPN policy :

Step 12: create Address Object spoke_LAN_subnet:

Step 13: create Address Object spoke_to_hub_VPN:

Step 14: completed Address Objects:

Step 15: add Routing Rules route_spoke_to_hub_from_X1 (pay attention to Metric):

Step 16: add Routing Rules route_spoke_to_hub_from_X3:

Step 17: completed routing rules:

Step 18: add SD-WAN Group:

Step 19: add SD-WAN Path Selection Profile:

Step 20: add SD-WAN Rule:

Step 21: this template is complete. Applying it to 2 spoke firewalls:

Step 22: Template Variables screen pops up. Confirm the variables resolved matches Step 1 settings. If not, need to modify this popup screen accordingly, and modify variables as well:

Step 23: corrected resolved variables:

Step 24: Template apply status:

Step 25: go to Commit & Deploy to commit changes:

Verification:

Log into a spoke firewall, noticing VPN policies and SD-WAN created:

Part 2: Template for Hub firewall:

Step 1: create a new template hub_sdwan_config:

Step 2: configure X3 WAN interface (assume it is not configured yet):

Step 3: configure first VPN policy hub_to_spoke_1_from_X1:

Step 4: configure VPN Policy Proposals - refer to configuration in Spoke. They should match;

Step 5: configure VPN Policy Advanced:

Step 6: configure first VPN policy hub_to_spoke_1_from_X3:

Step 7: configure VPN Policy Proposals - refer to configuration in Spoke. They should match;

Step 8: configure VPN Policy Advanced:

Step 9: configure second VPN policy hub_to_spoke_2_from_X1:

Step 10: configure VPN Policy Proposals - refer to configuration in Spoke. They should match;

Step 11: configure VPN Policy Advanced:

Step 12: configure second VPN policy hub_to_spoke_2_from_X3:

Step 13: configure VPN Policy Proposals - refer to configuration in Spoke. They should match;

Step 14: configure VPN Policy Advanced:

Step 15: completed Hub to Spoke VPN policies:

Step 16: create Address Object hub_LAN_Subnet:

Step 17: create Address Object to_spoke_1_subnet_VPN:

Step 18: create Address Object to_spoke_2_subnet_VPN:

Step 19: completed Address Objects:

Step 20: create Routing Rules hub_to_spoke_1_from X1:

Step 21: create Routing Rules hub_to_spoke_1_from X3:

Step 22: create Routing Rules hub_to_spoke_2_from X1:

Step 23: create Routing Rules hub_to_spoke_2_from X3:

Step 24: completed Routing Rules:

Step 25: add SD-WAN Group sdwan_to_spoke_1:

Step 26: add SD-WAN Group sdwan_to_spoke_2:

Step 27: completed SD-WAN Groups:

Step 28: add SD-WAN Path Selection Profile psp_to_spoke_1:

Step 29: add SD-WAN Path Selection Profile psp_to_spoke_2:

Step 30: completed Path Selection Profiles:

Step 31: add SDWAN rule sdwan_rule_to_spoke_1:

Step 32: add SDWAN rule sdwan_rule_to_spoke_2:

Step 33: completed SD-WAN rules:

Step 34: apply the template to Hub firewall:

Step 35: resolve template variables. Confirming by checking Spoke template step 1 settings:

Step 36: template apply status:

Step 37: Commit status:

Verification:

Log into Hub firewall, check SD-WAN status:

Log into Spoke firewall, check SD-WAN status, SLA Probes, Path Selection:

Related Articles

Categories

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

Subscribe to newsletter

Stay In Touch

Email Address*

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
Hidden
Country
Hidden
Company

Hidden
States
Hidden
Dnb- ZIP

Hidden
Dnb- Phone
Hidden
elqCampaignId

Hidden
elqTrackId

Hidden
utm_campaign

Hidden
utm_medium

Hidden
utm_source

Hidden
utm_term

Hidden
utm_content

Hidden
gclid

Hidden
sfdc_campaign_id

Hidden
DnB - Address

Hidden
DnB - First Name

Hidden
DnB - Last Name

Hidden
DnB - Duns

Hidden
DnB - Global Ult (HQ) DUNS

Hidden
DnB - Global Ult (HQ) Company

Hidden
DnB - Employee Count

Hidden
DnB - Trade Name

Hidden
DnB - Currency

Hidden
DnB - Vanity Title

Hidden
DnB - Country

Hidden
DnB - State

Hidden
DnB - Zip

Hidden
DnB - City

Hidden
DnB - Global Employee Count

Hidden
DnB - SIC Code

Hidden
DnB - SIC Description

Hidden
DnB - NAICS Code

Hidden
DnB - NAICS Description

Hidden
DnB - Revenue

Hidden
DnB - Domain

Hidden
DnB - Business Phone

Hidden
DnB - Company

Hidden
DnB - DataSource

Hidden
DnB - DMACode

Hidden
DnB - EmployeeRange

Hidden
DnB - Fortune1000

Hidden
DnB - Fortune200

Hidden
DnB - Industry

Hidden
DnB - Postal Code

Hidden
DnB - PrimarySIC

Hidden
DnB - SubIndustry

Hidden
DnB - PrimaryNAICS

Hidden
DnB - StockTicker

Hidden
DnB - Revenue Range

Hidden
DnB - State or Province

Hidden
DnB - Website

Email
This field is for validation purposes and should be left unchanged.