Skip to main content
Hameed01
Hameed01
New Member
June 3, 2020
Question

IPSEC VPN failover using two ISP links

  • June 3, 2020
  • 2 replies
  • 36293 views

Hello,

 

We have multiple IPSEC site to site vpn in our office. Currently, all our vpn's configured using the 1st ISP link (Our fortinet firewall WAN1 ip as a remote gateway for the vpn). Recently we buy another link and connected to our fortinet firewall WAN2 interface. How i can convert or reconfigure all this vpn with failover concept, like if ISP 1 fails the vpn should work with ISP 2. Kindly need your advice to achieve this. Thanks.

    2 replies

    sw2090
    SuperUser
    sw2090
    SuperUser
    June 5, 2020

    I'd be interested in this too.

    emnoc
    emnoc
    New Member
    June 5, 2020

    Your best method is to enable a dynamic routing protocol and assign a /30 or /31 on the vpn links. Treat them like wan links or private line and it will failover with no effort. Just set the metric on what link you want .

     

    hijt: If you have a big enterprise and with  multiple subnets being carried  you can maybe do a hacked load-balance 

     

    e.,g

     

    LINK1   SRC/DST 10.10.10.0/24 <> 10.20.10.0/24 metric 100

     

    LINK2   SRC/DST 10.10.10.0/24 <> 10.20.10.0/24 metric 1000

     

     

     

    LINK1   SRC/DST 10.10.11.0/24 <> 10.20.11.0/24 metric 1000

     

    LINK2   SRC/DST 10.10.11.0/24 <> 10.20.11.0/24 metric 100

     

    Or something to that nature of SDWAN is an  option but I seen many issues with vpn-interfaces as SDWAN members. I would  review this video , upgrade to the latest version and give it a spin

     

    https://video.fortinet.com/latest/sd-wan-dual-vpn-tunnel-to-data-center

     

    Make sure to use a dynamic routing with the vpn-interface if your do SDWAN

     

    YMMV, provide feedback if your SDWAN with vpn-members does not give you any issues.

     

    Ken Felix

      sw2090
      SuperUser
      sw2090
      SuperUser
      June 5, 2020

      thanks Ken!

       

      well I already do failover this way with all my point-to-point tunnels. But will surely be helpful to the thread starter.

      I'd still be interested to know if that works for dial up tunnels too.

      Hameed01
      Hameed01Author
      New Member
      June 6, 2020

      Hi,

       

      Thank you for the information. I will test  and update you by sunday.

       

      One more, for testing this, i need to create one more vpn tunnel in the other end fortinet with my device wan2 ip as a vpn gateway?

      Hameed01
      Hameed01Author
      New Member
      June 10, 2020

      Hi,

      To test the VPN failover, I created a tunnel between our main site and backup site. I followed the below steps

      1.Created two VPN tunnels

      2.Created a zone and added the two tunnels

      3.Created a static route for the destination subnet with different distances 10 and 20

      4. Since we have overlapping subnet in both site we created IP pool and Virtual IP. But the problem is, I am not able to map the virtual IP to the created zone, hence I select interface “any”

      5.Created two firewall policies

      6. I repeat the same procedure in the backup site

      When I disable the wan1 interface of the main site, then the secondary tunnel coming up automatically. But the issue is we not able to reach both end systems subnets. Since we are not able to map the virtual IP to the zone we are facing this issue.

      Is there any other option to overcome this? Thanks

      Terms & ConditionsAccessibility statement