Skip to main content
FlavioB
FlavioB
New Member
October 10, 2011
Question

VPN in Failover configuration?

  • October 10, 2011
  • 5 replies
  • 5223 views
Hello everybody. I' ve set up a Fortigate 60C with Internet link on WAN1. On this link, I' m also doing an IPSec VPN tunnel to an other FGT60C (remote office). Now I have a second line, which I want to use as a failover (on WAN2). What I should configure is to have the same policies applied to WAN2, set the routing priorities and configure a ping host. But what do I have to do for the VPN to go up again when WAN1 would be down and WAN2 would become the main outgoing link? As far as I' ve seen, the VPN Phase 1 is bound to one interface only... Thanks in advance and kind regards, F.

    5 replies

    emnoc
    emnoc
    New Member
    October 10, 2011
    The easy fix, would be to built 2 VPN tunnels with static routes and in interface route mode. Then yo can run both tunnels, just set the route priorities (distance) for the on side that you prefer and the correct fwpolicies. Make sure DPD is enable and have at it. With the fortigate, you can also run a dynamic routing protocol if so desired, but that would be more work. Good luck
    FlavioB
    FlavioBAuthor
    New Member
    October 10, 2011
    Hello emnoc. I' ve just been thinking about the same procedure: always have 2 open VPN tunnels (one on WAN1, one on WAN2) and simply have traffic being prioritised to go through the main (WAN1) link when up. One last question: what happens to running sessions in the VPN tunnel, when a WAN-Failover event would occur? Would they be cut-off? Thanks, F.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 10, 2011
    Hi, have a look at the chapter " Redundant VPN connections" in the FortiOS Handbook, or the IPSec Guide. With a parameter that you set via CLI you can instruct a backup VPN to monitor the primary VPN, and step in if the primary fails (for whatever reasons, not only line failure).
    emnoc
    emnoc
    New Member
    October 10, 2011
    What ede is refering to is the set monitor-phase1, this is similar to the juniper vpnmonitor feature. On the questions about the session states, I would assume since the sessions are already in the table, they would continue on. But when you build your redundant vpn tunnels, you can test this to see if it' s true.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 10, 2011
    I disagree here. I think the design and intention of an IPSec tunnel is such that if a tunnel is going down all sessions across this tunnel are terminated instantly. If (by a redundant setup) a backup tunnel is built up then new sessions have to be established as sessions are tied to interfaces in the session table. I' d recommend to configure the tunnels to re-establish automatically (a phase1 parameter) instead of the regular traffic-driven build-up.
    Terms & ConditionsAccessibility statement