Dialup site to site vpn with dual wan and dynamic IPs

Question

I'm just looking for some best practices here and what would be the most reliable and redundant setup. My setup is I have a Fortigate 200E in our datacenter with 2 wans with static IPs.

We have a couple retail stores with 60E's and we want to implement some redundancy with their internet. The primary internet connection has a dynamic IP. We are going to be adding LTE modems that will have a dynamic IP.

What is the best way to set this up for VPN and auto failover? I have very little experience with dial up ipsec and that was only with ASA's using reverse route injection. Do people prefer using dynamic DNS over dialup?

Here is my proposed setup using dailup:

datacenter wan1 to retail wan1 using dialup vpn and peer id 1

datacenter wan2 to retail wan2 (cellular) using dialup vpn and peer id 2

Create routes for both VPN connections with a lower priority for wan2 to wan2.

I know for more redundancy I could do wan1 to wan2 and wan2 to wan1, but the isp's drop so rarely, I think the chances of 2 going down simultaneously is slim to none. I also want to keep this as simple as possible.

Any thoughts?

Toshi_Esumi · Answer

To me, once the tunnel is established all of those methods have the same level of security/performance so I wouldn't use DDNS if one side has static IPs. Just use either IKEv1 aggressive mode on both sides, or IKEv2. We now exclusively use IKEv2 so I don't remember how exactly aggressive mode needs to be configure in case IKEv1.

But one thing I remember is since your both IPSec tunnels have the same local subnet(s) for the selector(s) you need to disable "add-route" on the datacenter side (set add-route disable) to have both tunnel up at the same time (you need two static routes with different metrics). Then you can switch over the routes using a link-monitor on the primary VPN with route removal.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded