Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epinheiro
Staff
Staff

Created on ‎09-12-2023 10:00 PM

Article Id 273292

Technical Tip: How to configure the VRRP VIP as the local VPN gateway address

Description

This article describes how to configure the VRRP IP address as the local VPN gateway address.

The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet, but it can also be changed.
The existing setup is not affected by the VPN settings.
Scope VRRP VIP, IPsec, VPN, Phase1, Site-to-Site VPN, local VPN gateway, peer.
Solution
  1. Check the VRRP VIP by executing the following command 'get router info vrrp':

 

VRRP_Master.jpg

 

VRRP_Backup.jpg

 

  1. On the local FortiGate, modify the phase1 settings using GUI:

 

Phase1_GUI.jpg

 

  1. On the CLI:
  • If using a policy-based tunnel:

 

config vpn ipsec phase1
     edit "SiteA"
         set interface port1
         set local-gw 192.168.63.200
end

 

  • If using a route-based tunnel:


config vpn ipsec phase1-interface
     edit "SiteA"
         set interface port1
         set local-gw 192.168.63.200
end

 

  1. On the remote FortiGate, point the remote gateway to the VRRP VIP instead of the physical interface IP:

 

RemotePeer_Settings.jpg

 

  1. IPsec Monitor on the local FortiGate:

 

Monitor_1.jpg

 

  1. IPSec Monitor on the remote FortiGate:

 

Monitor_2.jpg

 

 

1389
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.