Skip to main content
chanec
chanec
New Member
March 17, 2018
Question

Redundant Site to Site VPN with 2 or 3 lines between branches and HQ

  • March 17, 2018
  • 1 reply
  • 4633 views
Would like to check the possibilities to implement 1. Redundant Site to Site VPN with 2 or 3 lines between branches and HQ. 2. Branches can direct access Internet rather than through HQ. Lines Line 1 - Metro E - Fixed IP Line 2 - Broadband - Dynamic IP Line 3 - 3G/4G - Dynamic IP Questions: 1. Is it possible to build redundant site-to-site VPN with above lines? So can load balance and auto fail-over VPN and Internet? 2. Can choosen application be prioritized? 3. What is the recommended Fortigate Model for branches with 30 or 50 users? And HQ if to handle 7 or up to 70 branches. 4. Any other areas we should look into or take into consideration for this kind of implementation? 5. It is possible if we only use 1 broadband and 1 3G/4G line with both running Dynamic IP? Fortigate Cookbook Here is the Fortigate Cookbook I found. But it is based on Fixed IP. http://cookbook.fortinet....oyment-example-expert/

    1 reply

    mahesh_secure
    mahesh_secure
    New Member
    March 28, 2018

    Hi

     

    Questions: 1. Is it possible to build redundant site-to-site VPN with above lines? So can load balance and auto fail-over VPN and Internet?

    ANS:

        1. static route configuration. you can add multiple static route to same destination with different distance value

        2. config OSPF routing in both end to load balance the VPN 

    2. Can choosen application be prioritized?

     ANS :

             specific ip traffic can be route through a particular tunnel. also you can use traffic shaping option

    3. What is the recommended Fortigate Model for branches with 30 or 50 users? And HQ if to handle 7 or up to 70 branches.

      ANS :

     for 30 users you can use fortigate 30E and above 50 use Fortigate 60E. in HQ use fortigate 100E for better throughput 4. Any other areas we should look into or take into consideration for this kind of implementation?

    ANS :

    find a fortinet partner 5. It is possible if we only use 1 broadband and 1 3G/4G line with both running Dynamic IP?

    ANS :

    better use a dedicated lease line in HQ with static ip address. you can also use fortiddns free dynamic dns service

     

    Regards

    Mahesh

    rwpatterson
    rwpatterson
    New Member
    March 28, 2018

    An addition: If the institution is growing, you may wish to order a larger device for the HQ head end. Also before you go out and buy dozens of 30E units, I would try one first. They may not fulfill you needs 100%. They are very...underpowered? Your mileage may vary. All dependent on how many value added features you plan on using with the box. Strictly VPN it may work. Web filtering, AV, etc. may stress it to the point of bringing it screaming to it's knees.

    Terms & ConditionsAccessibility statement