Technical Tip: VPN traffic over alternate link (dual WAN)

Description

This article describes how to send the VPN traffic over an alternate link.

Scope

It is necessary to properly configure both the routing and the firewall policies.

Solution

Routing Scenario:

• Main internet Traffic is to go out on WAN1.
• Only VPN traffic is to go out on WAN2.
• The remote gateway for the VPN tunnel is 64.247.233.250.

How to configure the static routes:

• Route #1 is the normal default route for the main Internet connection.
• Route #2 says to get to the External Interface of Remote Fortinet, use the gateway on WAN2.
• Route #3 says to get to the remote subnet across the VPN, use the policies defined on Internal to WAN2.

Adding a Static Route via CLI on a FortiGate:

FGT # config router static
FGT(static) # edit 0 <------ Using edit 0 adds the route as the next available entry
new entry '0' added
FGT (0) # set dst 64.247.233.250/32
FGT (0) # set gateway x.x.x.x
FGT (0) # set device wan2
FGT (0) # end

How to configure firewall policies:

Internal to Wan1: Internal_All >> WAN1_All Accept Any
Internal to Wan2: Internal_Subnet >> 10.3.20.0 Encrypt

FortiGate Firewall Policy Configuration Guide: Firewall policy 

FortiGate Firewall Static Route Configuration Guide: Static routing