Skip to main content
KPS
KPS
New Member
May 11, 2018
Question

Fortigate - DualWAN to DualWAN IPSEC

  • May 11, 2018
  • 1 reply
  • 2928 views

Hi!

 

I need to setup a redundant installation:

 

1. Headquater:

Two Internet-Lines - each one with static IP

 

2. BranchOffices:

One "main" Internet-Line and a backup-line (3G)

 

 

I need a stable IPSEC connection - no matter which one of the 4 ISPs has an outage.

 

At the moment, the setup is running with Bintec-Devices:

- In the HQ one IPSEC tunnel is defined

- In every BO: two tunnels are defined (one for each static IPs of the HQ)

--> If one connection in the HQ fails, the second IPSEC-peer is established

--> If the main-connection in the BO fails, the other one is used

 

 

I am not able to set this up on the Fortigates:

- There seem to be no "on-demand-IPSEC-tunnels" --> The FG is trying to establish both tunnels

- If I define two tunnels on both sides, there is no alive check for the routing. How can I tell the FG to just use "running" tunnels?

- As a tunnel seems to need an interface-binding, I would have to create 4 Tunnels on every BO. Is this right?

 

 

How would you do that setup?

 

Thank you for your help and sorry for the long post...

 

KPS

    1 reply

    cjw
    cjw
    New Member
    May 11, 2018

    You are correct you would need 4 tunnels in each BO. 

     

    You can either use dynamic routing and keep all tunnels up - or use a combination of other Fortigate features.

     

    1. You can set a tunnel to be a backup and come up only when another one fails. Do this by editing the phase1-interface in the cli [config vpn ipsec phase1-interface; edit XYZ] and settings "set monitor "PRIM_TUNNEL_NAME". This is enough if you just want to monitor tunnel failure. You still need static routes - usually same distance but different priority so that routing still happens when the primary tunnel fails. 

     

    2. If you want to monitor IP failure, you also need to use the cli to "config system link-monitor". Look that one up, but it basically just lets you ping a host or interface address (recommended) on the other side and update the static routes accordingly. This one would allow you to have both tunnels up with same distance, but different priority and then the link-monitor would update your static routes for you. 

     

    I hope that helps!

     

     

    Terms & ConditionsAccessibility statement