Skip to main content
downlinkvip
downlinkvip
New Member
January 15, 2020
Solved

Create VPN tunnels with two WAN link.

  • January 15, 2020
  • 1 reply
  • 25496 views
Hi guys,

 

I haven't implemented this thing before. So please tell me if it is possible to implement like below:

Our Fortigate at HQ has two FTTH WAN lines (WAN1, WAN2). I have configured two default routes with the same distance but different priority (we has some DMZ servers, so we want access to these servers by VIP on both two WAN link).

 

At the branch, we just have one FTTH WAN (WAN1). Currently, we just have IPSEC VPN site-to-site-tunnel from WAN1 of the Branch Firewall to WAN1 of HQ Firewall named it "VPN tunnel 1".

 

Is it possible to create another IPSEC VPN site-to-site tunnel, eg: from WAN1 of the Branch Firewall to WAN2 of HQ Firewall. I attached sample topology for refer. Thanks for reading.

    Best answer by emnoc

    What do mean by default route? Are you planning on routing the branch local lan traffic across the two tunnels? Again if  yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE ) and then use a routing protocol ( OSPF or RIP ) and inject a default route to the branch.

     

    At the branch you  will advertise a local-LAN network(s) only and and they you control traffic with policies at branch and HQ. You can adjust what ipsec tunnel you would use by either metric/priority or even RIP offset.

     

    Ken Felix

     

    1 reply

    emnoc
    emnoc
    New Member
    January 15, 2020

    Yes, you can do that and use a routing protocol for example over the tunnels for the local/remote subnets that are carrying the phase2-TS.

     

    Ken Felix

    downlinkvip
    downlinkvipAuthor
    New Member
    January 16, 2020

    Hi @emnoc,

     

    Thanks for reply. I want to understand more about this, for example, I set up a default route (with lower priority) through WAN1, so all VPN setup packet must go through WAN1 (default route) first or it can use its own default route (with higher priority) to reach the WAN1 (branch Firewall). Please help.

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    January 16, 2020

    You have 2 (mostly) unrelated steps here:

    1. You set up 2 IPsec tunnels from the branch to the HQ that should be up.

    2. Now, once step 1 is done you will have 2 VPN interfaces in Network tab corresponding to 2 IPSec tunnels , through which interface you route the remote LANs is up to you. If you run dynamic routing protocol then you use priorities of the given routing protocol. If, on the other hand, you use static routes, then add routes to remote LANs via both VPN interfaces, but set different priority on one of the routes to force all IPsec traffic to pass the specific IPsec tunnel. If that prioritized Ipsec tunnel goes down, FG will delete the route to remote LANs through it, and will install the 2nd route via 2nd tunnel.

    Terms & ConditionsCookie settingsAccessibility statement