Skip to main content
Alex_talmage
Alex_talmage
New Member
December 15, 2016
Question

WAN Link Load Balancing with DUAL WAN and IPSEC tunnel per WAN interface?

  • December 15, 2016
  • 1 reply
  • 8974 views

Hi Guys,

 

I've searched far and wide for an answer to my query and cannot find it anywhere! So hoping you can help.

 

I am configuring a new Fortigate 800D running 5.4.2. It will have dual WAN interfaces over different ISPs, so to cater for this I have configured WAN Link Load Balancing. All this is working perfectly.

 

The stumbling block I'm hitting is creating redundant IPSEC tunnels to the same remote IP. So scenario is:

 

Site 1 = two WAN connections 1.1.1.1 and 2.2.2.2

Site 2 = 1 WAN connection 3.3.3.3

 

I have created two IPSEC tunnels at both sites. Site 1 has one for each source WAN connection, going to the remote IP 3.3.3.3 and site 2 has 1 for each remote WAN IP, going from the same source IP 3.3.3.3.

 

The first IPsec tunnel comes up fine. The 2nd one doesn't and a diag debug application ike -1 shows "error 101:Network is unreachable".

 

Checking the routing monitor, it shows the default route is statically configured to use the wan1 connection (where the ip of the working IPSEC tunnel resides). The static route I've actually configured points to the wan-load-balance virtual interface that is created as part of WLLB.

 

Have I hit an incompatibility here or is there a workaround so that I can get IPSEC tunnels up to both WAN links in a WLLB config?

1 reply

FirewallNoob
FirewallNoob
New Member
April 24, 2017

I know this is an old post but I have the same issue - can't seem to get both WAN1 and WAN2 at site 1 to use the same IP for Site 2. Only site 1 has redundant internet - Site 2 only has 1 link.

Any info on this?

Alex_talmage
Alex_talmageAuthor
New Member
April 24, 2017

Hi FirewallNoob. This was a while ago, our issue was the way that Wan Link Load Balancing had been configured on the Fortigate with redundant WAN connections. WLLB was configured to use the "Volume" Load Balancing Algorithm, and weighted 100 on one WAN link and 0 on another. This was done as the 2nd WAN link was intended to be used as a backup link, and only to be used in the event of an outage on WAN1. Unfortunately, setting the weight to 0 removes routes from the routing table, causing the issue described here.

 

Instead, we have selected the "Source IP" load balancing algorithm. Each static route now has 2x routes, one for each WAN link. The routes for the secondary wan link are configured with a priority of 100 whilst the routes for the primary link are configured with a priority of 0, meaning the fortigate uses the primary wan link unless down and WLLB does it stuff.

 

So in the first instance, I would check how WLLB is configured to see if its this that's causing the issue

FirewallNoob
FirewallNoob
New Member
April 24, 2017

Got it. Thanks for the update!

Terms & ConditionsAccessibility statement