Skip to main content
Maxim_Vanichkin
Maxim_Vanichkin
Visitor III
February 15, 2016
Question

Backup IPSEC interface

  • February 15, 2016
  • 1 reply
  • 7157 views

Good morning Vietnam!

 

Can anybody explain to me how should I build backup IPSEC interface? Found articles about how to configure fortigate with to ISPs, but no one about second fortigate with only one ISP. Should I configure ipsec as a dialup user? Because I cant configure second tunnel with the same remote policies...

 

Thanking you in advance, your pal, Maxim.

    1 reply

    neonbit
    neonbit
    New Member
    February 15, 2016

    Hi Maxim,

     

    Two redundant IPSEC interfaces are easy enough to setup. There's a IPSEC with OSPF cookbook available here that goes through the steps: http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

     

    The key thing here is the routing. With OSPF the routing will be done automatically for you, but just having one site you can easily get away with configuring the routing manually.

     

    One thing I would recommend looking into that the cookbook doesn't mention is the use of zones. Before you create the policies for the VPNs, create a zone and put both VPN interfaces in it. Now you only need to create policy from internal > VPN-zone and VPN-zone > internal (rather than creating two separate policies for each VPN interface).

     

     

     

    Maxim_Vanichkin
    Maxim_VanichkinAuthor
    Visitor III
    February 16, 2016

    Hi Neonbit!

     

    Thank you very much for your answer!

     

    But my situation is different. Brach has two ISPs (one of them is much more expensive), headoffice has only one ISP, one WAN, that is why i have to use different way. Forti call it "Backup IPSec Interface". 

    neonbit
    neonbit
    New Member
    February 16, 2016

    Hi Maxim,

     

    Just to confirm, you'd like to setup something like this with traffic going over WAN1 in the branch office (cheap link) and only falling back to WAN2 when WAN1 is unavailable?

     

     

    Ifso then the previous guide will still work. Instead for the HQ you would have two IPSEC interfaces that are configured for the same wan LINK (WAN1). Branch Office will have two IPSEC interfaces (static not dialup), each configured for a separate link (WAN1 and WAN2). Enable dead peer detection on the VPNs.

     

    You would configure routes to prioritize WAN1 over WAN2 (using distance).

     

    Both sides will have a VPN-zone with the two VPN interfaces as members.

    Terms & ConditionsAccessibility statement