Technical Tip: Dual VPN static routing redundancy to the same remote gateway

Description

This article describes how to provide redundancy when there is more than one VPN to the same remote destination, and configure a higher Administrative Distance in the primary route to the static route of the primary VPN. 

Scope

FortiGate.

Solution

Routing to subnet 192.168.1.0/24 is available through 'VPN1' and 'VPN2',  'VPN1' has a higher Administrative Distance (10), so the route through 'VPN2' is inactive. If 'VPN1' fails, its route disappears from the Active Routing Table, and the route through 'VPN2' comes up.

Two VPNs with the same Remote Destination IP (10.9.9.1):

config vpn ipsec phase1-interface
    edit VPN1
        set interface <wan_interface>
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dpd on-idle
        set comments ""
        set dhgrp 2
        set remote-gw 10.9.9.l
        set psksecret ENC
        set dpd-retryinterval 5
    next

config vpn ipsec phase1-interface
    edit VPN2
        set interface <wan_interface>
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dpd on-idle
        set comments ""
        set dhgrp 2
        set remote-gw 10.9.9.l
        set psksecret ENC
        set dpd-retryinterval 5
    next

config router static
    edit <id>
        set dst  192.168.1.0 255.255.255.0
        set device "VPN1"
        set distance 10
    next

    edit <id>
        set dst  192.168.1.0 255.255.255.0
        set device "VPN2"
        set distance 11
    next

With the above configuration, the IPsec tunnel VPN1 will be active as it has a lower AD, and VPN2 will not become active unless VPN1 goes down.

In some cases, it will be required to keep both the tunnels, VPN1 and VPN2, active. This can be achieved by using the same AD but a different priority in the static routes. The lower the priority, the higher that route will be preferred as shown below:

config router static
    edit <id>
        set dst  192.168.1.0 255.255.255.0
        set device "VPN1"
        set distance 10

        set priority 1
    next

    edit <id>
        set dst  192.168.1.0 255.255.255.0
        set device "VPN2"
        set priority 5
    next

With the above config, both tunnel VPN1 and VPN2 will be active, but VPN1 will be preferred for traffic routing due to its lower priority number, and VPN2 will be preferred only when VPN1 goes down.

Reference: Redundant route-based VPN configuration example.

Note: Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here, check the firmware path and compatibility depending on the hardware: Upgrade tool.