| Description | This article describes on how to create redundancy with IPsec and MPLS link. |
| Scope | All Fortigate versions. |
| Solution |
This is regarding the scenario where the users are looking to create remote connectivity primarily with the MPLS link and secondarily as a redundant path to the IPsec tunnel.
Since the routes provided to both will be on the basis of the AD value/priority or the SD-WAN rules .
Along with the routing, the best recommendation will also be to create a link monitor.
To make efficient redundancy, link monitor will be configured to keep the health of the interface in check.
- Performance SLA link health monitoring measures the health of links that are connected to SD-WAN member interfaces by either sending probing signals through each link to a server, or using session information that is captured on firewall policies and measuring the link quality based on latency, jitter, and packet loss.
- Here, the server will be set as the remote gateway of the other peer's wan interface IP and when the probe packets are lost, the traffic will be automatically routed towards the IPsec tunnel considering the primary MPLS link is down.
- SLA targets will make sure that if those targets are not match, the routes on that link are removed from the SD-WAN link load balancing group, and traffic is routed through other links.
- When the link is working again the routes are reestablished. This prevents traffic being sent to a broken link and lost.
It is also possible to configure link monitoring if static routes are used for both the links from CLI , there is no option for GUI for same:
Reference links: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-monitor/ta-p/197504
https://docs.fortinet.com/document/fortigate/latest/administration-guide/580649/link-health-monitor |
|
|
