Created on 01-05-2018 03:56 PM Edited on 08-19-2024 10:14 PM By Jean-Philippe_P
Description
This article describes how to Provide redundancy when there is more than one VPN to the same remote destination configure a higher Administrative Distance in the primary route to the static route of the primary VPN.
Solution
Routing to subnet 192.168.1.0/24 is available through "VPN1" and "VPN2", "VPN1" has a higher Administrative Distance (10) so the route through "VPN2" is inactive. If "VPN1" fails, its route disappears from the Active Routing Table and the route through "VPN2" comes up.
Two VPNs with the same Remote Destination IP (10.9.9.1):
config vpn ipsec phase1-interface
edit VPN1
set interface <wan_interface>
set keylife 28800
set peertype any
set proposal aes128-sha1
set dpd on-idle
set comments ""
set dhgrp 2
set remote-gw 10.9.9.l
set psksecret ENC
set dpd-retryinterval 5
next
config vpn ipsec phase1-interface
edit VPN2
set interface <wan_interface>
set keylife 28800
set peertype any
set proposal aes128-sha1
set dpd on-idle
set comments ""
set dhgrp 2
set remote-gw 10.9.9.l
set psksecret ENC
set dpd-retryinterval 5
next
config router static
edit <id>
set dst 192.168.1.0 255.255.255.0
set device "VPN1"
set distance 10
next
edit <id>
set dst 192.168.1.0 255.255.255.0
set device "VPN2"
set distance 11
next
Reference: Redundant route-based VPN configuration example
Note: Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.
Tested in the lab and it worked correctly. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.