Hello fellow networking people. I have a design question I wanted to bounce off of your wonderful minds. A project we've been pushing through this summer is getting a site-to-site VPN tunnel built from our DC to each of our schools so we can host an off-site DC and any other service that would need to be accessible from their private LAN. We have a couple more schools to move off of overlapping IP schemes yet, but otherwise, it's been working as designed so far. We only have around 40 sites so we went ahead and just used Fortinet's IPSec wizard to create these tunnels.
Now that we have this built, I've also realized we can use these tunnels to route our office LAN over to our school's private LANs. With this, we wouldn't need to remote in with FortiClient to manage school equipment remotely, which would be great! I have this working at one site, but it takes a bit of manual work to adjust static routes, policies, and phase2 SA proposals.
What I'm wondering is would it be worth the work to design this with OSPF to dynamically route these subnets around? I know it's possible to do so over an IPSec tunnel, I've just never done it myself. I'm also wondering if anyone would have recommendations on how to design the firewall policies for this since they would need to be flexible enough for changing subnets. Really, my only requirement is that traffic flows from our office to schools but not from schools to our office. Current design diagram here.
EDIT: I wanted to expand on the underlying routing already in place for better context. In our DC, both HA pairs of FortiGates hang off a MLAGed layer-3 switch pair, which then does BGP peering to two different aggregation points off the statewide educational backbone. At the school, I'm planning on rolling out SD-WAN in tandem with this, which would handle redundant outbound connections. I've been told I can get a VPN tunnel to terminate on either interface in a fail over situation, but I haven't been able to test this yet.
No comments:
Post a Comment