FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sferreira
Staff
Staff
Description
To Provide redundancy when there is more than one VPN to the same remote destination configure a higher Administrative Distance in the primary route to the static route of the primary VPN. 

Solution
Routing to subnet 192.168.1.0/24 is available through "VPN1" and "VPN2",  "VPN1" has a higher Administrative Distance (10) so the route through "VPN2" is inactive. If "VPN1" fails, its route disappears from the Active Routing Table and the route through "VPN2" comes up.

Two VPNs with the same Remote Destination IP (10.9.9.1):


config vpn ipsec phase1-interface
    edit VPN1
        set interface <wan_interface>
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dpd on-idle
        set comments ""
        set dhgrp 2
        set remote-gw 10.9.9.l
        set psksecret ENC
        set dpd-retryinterval 5
    next


config vpn ipsec phase1-interface
    edit VPN2
        set interface <wan_interface>
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dpd on-idle
        set comments ""
        set dhgrp 2
        set remote-gw 10.9.9.l
        set psksecret ENC
        set dpd-retryinterval 5
    next


config router static
  
   edit <id>
        set dst  192.168.1.0 255.255.255.0
        set device "VPN1"
        set distance 10
    next

  
edit <id>
        set dst  192.168.1.0 255.255.255.0
        set device "VPN2"
        set distance 11
    next
   

Ref : Redundant route-based VPN configuration example


Contributors