Skip to main content
KVN001
KVN001
New Member
November 9, 2022
Question

Accessing a Server behind IPSec VPN Tunnel

  • November 9, 2022
  • 1 reply
  • 2145 views

Hi Community,

 

I have following situation: I have two sites connected with an IPSec VPN tunnel. The tunnel is running and I can reach the servers of the other site without any problems from the internal network. So far so good.

 

Normally, my servers run in Site A. When I connect to the services there with an end device over the Internet, it works fine. Now I have set up the same servers in Site B as Hyper-V failover (with different IP addresses). What I want to achieve is: Should the servers in Site A fail and the failover servers in Site B start. The firewall in Site A should not send the packets to the local server (which is not running), but to the servers in Site B via the VPN tunnel (like in the screenshot).

 

Can anyone tell me, is this even possible?

On Site A I tried to change the Policies from Local Server VLAN to the IPSec Tunnel and reconfigured the VIPs, but the packets doesn't seem to arrive at the Site B Firewall (according to the logs).

 

I would be glad if anyone could tell me if this scenario is even possible or not.

 

 

Thanks a lot for your help guys :)

Capture.PNG

1 reply

sidewaysguy14
Staff
sidewaysguy14
Staff
November 9, 2022

Hello there KVN001, 

 

Top of mind, I'd probably approach this by using public DNS failover, so that when the servers are live in Site B the  user traffic is processed by the Site B firewall.  This would probably maintain consistency for the user experience instead of adding latency with the traffic traversing the IPSEC tunnel.  This would also allow for Site A to be completely down, letting Site B take over gracefully both on the server and network side.  This type of failover is available through most major DNS providers.  FortGLSB could also be leveraged for this approach and FortiADC could also handle this from a loadbalancing perspective. 

 

Now if there is a requirement for the traffic to always go through Site A, then I'd suggest looking at using a Virtual server load balancing scenario.  In this scenario, you could use the static balancing method with a health check against the servers so if the servers are down in Site A, the servers in Site B would start receiving the traffic.  You can check this out further at https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/713497/virtual-server-load-balance 

 

Depending on the traffic/server load, FortiADC may be the correct solution to manage the scenario.  I hope this gives you a couple of things to consider and start with. 

 

 

I hope that gives a couple of approaches to this

Terms & ConditionsAccessibility statement