Skip to main content
Brenden
Brenden
Explorer
July 8, 2024
Solved

Two IPSec tunnels with a single WAN connection

  • July 8, 2024
  • 1 reply
  • 2901 views

I have 50+ remote branch offices that use Fortigates with a single WAN connection, which uses one IPsec tunnel back into our Primary HQ. However, we would like to add a second IPsec tunnel as a backup path at another location at Secondary HQ FG. Is there more than one way to set this up? If so, what are those setups, and which is more feasible to do? My end goal is when the IPsec tunnel goes down because Primary HQ route is not active, it should route to the Secondary HQ automatically. Also, FG is running firmware 7.2.

 

I heard others recommend using two IPsec tunnels and also creating a BGP neighbor as an option. I wasn't sure if there were any other ideas.

Best answer by Toshi_Esumi

If you're expecting to fail-over automatically to the secondary path per location basis, you need to have a routing protocol like BGP to advertise the same route over two IPsec tunnels per location. I recommend eBGP (different AS per location) in case you need to connect a remote to a remote now or in the future, to avoid problems come with iBGP (one AS for all locaitons).

 

I'm assuming you have direct connection between the primary FGT/HQ and the secondary FGT/HQ over a circuit or IPsec tunnel and sharing routes each other. Between them you might choose iBGP(same AS). Or even eBGP would work fine.

In that case, you just need to set the local preference lower than the default 100 on the secondary HQ FGT for the routes coming from all remote locations so that HQ uses the primary route to send traffic toward the remote locations.
On the other hand, at all remote locations, you just need to set the location preference lower than the default 100 on the routes learned over the secondary HQ IPsec. This takes care of the traffic direction from the remote locations to HQ.

Toshi

1 reply

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
July 8, 2024

If you're expecting to fail-over automatically to the secondary path per location basis, you need to have a routing protocol like BGP to advertise the same route over two IPsec tunnels per location. I recommend eBGP (different AS per location) in case you need to connect a remote to a remote now or in the future, to avoid problems come with iBGP (one AS for all locaitons).

 

I'm assuming you have direct connection between the primary FGT/HQ and the secondary FGT/HQ over a circuit or IPsec tunnel and sharing routes each other. Between them you might choose iBGP(same AS). Or even eBGP would work fine.

In that case, you just need to set the local preference lower than the default 100 on the secondary HQ FGT for the routes coming from all remote locations so that HQ uses the primary route to send traffic toward the remote locations.
On the other hand, at all remote locations, you just need to set the location preference lower than the default 100 on the routes learned over the secondary HQ IPsec. This takes care of the traffic direction from the remote locations to HQ.

Toshi

    Terms & ConditionsAccessibility statement