Backup VPN Tunnel Setup

Forum|Forum|6 years ago
November 5, 2019
1 reply
9204 views

Hi there,

I'm still in the learning process of fortigate. I'm trying to setup a backup VPN tunnel. Now, I have a primary vpn tunnel from site A firewall to site B firewall. I will need a secondary vpn tunnel from site C firewall to site B firewall to turn on automatically whenever the primary connection is down. Both site A&C have 90D, site B has 60E. I know I'm supposed to setup some lower value in the setting, but not sure where I need to do it? phase 1 or 2 parameters? Or security policy? priority value of static route?

Also correct me if I'm wrong for the settings I need to do. 1. Using vpn wizard create vpn tunnel 2. setup ipv4 policy 3. setup security policy 4. setup static route

Thank you for your time and advice. Really appreciate it!!

Best answer by Toshi_Esumi

Any metric option on static routes would work including priority. With priority, both routes shows up in the routing table but if a session is initiated from inside of B it would take the route with a lower priority-number (0 by default). Since the other one is still in the table, sessions coming in the interface (VPN) with a higher priority-number are still legit and the returning packets still go out through the same interface (VPN) they came in.

Toshi_Esumi

SuperUser

It's not so easy as you're thinking because it's not a simple backup tunnel to the primary one since your second tunnel come from site C. How can site A get to site C to get to the second tunnel? Another VPN?

If you use static routes, you need to use link-monitor to remove those toward the primary tunnel when it goes down. For the secondary route, you can use admin distance or other metrics to let them "float".

But routing protocols are designed for that purpose.

polarpandaAuthor

Explorer

Hi Toshi,

Thank you for the reply. I don't really need connection between site A and C. We setup site C as internet backup for site A. Now, all the ingress traffic go to site A. When site A down, site C will handle all ingress traffic. Then at the same time, the secondary vpn tunnel should be activated. Hope it makes more sense after explanation.

I'm thinking to have config of from C to B same as from A to B. Then setup a bigger priority value of B to C than B to A in static route ->advanced option. When site A internet works, there is no traffic from B to C. When site A internet down (site C is up), there is traffic from B to C (no traffic from B to A). Will it work? Do I still need link monitoring?

Thank you for your time!!

Toshi_Esumi

SuperUser

Still not clear about the roles of those sites&VPNs. What do you mean by "ingress" traffic? Is it traffic from the internet into your network consisting three locations? In that case, do the public IPs to enter into your network move/change from A to C by DDNS?

If B is the main location and A and C are just B's internet path options, B just needs to decide which way to go. You don't have to "activate" VPN and you can keep the tunnel up all the time. You just don't route to it when you don't need it. I still recommend to use link-monitor at B to detect the internet path over the VPN down.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded