Skip to main content
wilson19
wilson19
New Member
December 27, 2019
Question

Best Design Options - Dual VPN & point to point fiber/ethernet connection

  • December 27, 2019
  • 2 replies
  • 3157 views

Hi All,

 

I'm new to Fortinet/Fortigates and so I have been reading a lot of Cookbooks the last week or so, but I thought I'd get some input here as well on designing this for automatic fail over and redundancy.

 

We have purchased two 200E units.  One will be located at a data center and the other at the main office.  At the main office, we have two internet connections and will have an Ethernet handoff from a local fiber provider that will give us a 1Gbps connection to the data center as well.  At the data center, we'll have one internet connection and the other side of the fiber/ethernet connection.

 

I wanted to make sure I'm on the right track here so I thought I'd run this by everyone to see if you have any additional thoughts.

 

Main Office:

Created SD-WAN Interface with two internet connections with performance SLA.

Created two VPN tunnels to data center with the individual internet connections and modified static route distances.

 

At Main Office and Data Center:

Created VPN tunnel to main office with single internet connection

 

Both Locations:

Once the point to point is delivered, I will add it to another interface and add another static route with a lower distance than the VPN(s).

I'll then add a system link-monitor to both ends of the point to point in order to monitor it for failure and automatically bring up the VPN.

 

Thanks,

Wilson

 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 27, 2019

    That would work. I would use a routing protocol like BGP between two locations though.

    But technically you can put those all three VPNs+P2P links on the same SD-WAN at the main office with those internet interfaces (totally 5 member interfaces), at the same time setting up SD-WAN on the datacenter side (3 member interfaces or 4), then you set the same criteria on both sides to use one of them at a time per traffic type for both directions.

    But I haven't seen a report on the forum from whom succeeded this yet.

     

    Ehamby
    Ehamby
    New Member
    December 31, 2019

    Instead of differentiating distance you may want to use priority instead.  Generally we make tunnel-interface's with /32 IP's assigned.  We then run the link-monitor's over those tunnels with the tunnel-interface IP's being the source and destination of the link-monitor check.  This way the primary and failover tunnel is up and ready to go, the routes are in the routing table, and there is no need for the secondary tunnel to negotiate or come online.  Ultimately this leads to faster failover times and by setting IP's on the tunnel interfaces you have more granularity in how you configure your link-monitor policies.  Also if you ever decide to run OSPF or BGP over the tunnel's you already have IP's on them ready to go.  

     

    Also make sure to setup a blackhole route for all private IP space.  This way the Fortigate will never forward the traffic to its default gateway/s if the tunnel is down.  

    Terms & ConditionsAccessibility statement