FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff
Article Id 241066
Description

This article describes one of the methods to attain partial redundancy when one FortiGate has a single WAN connection and the other FortiGate has two or more WAN (ISPs) connections.

Scope Site-Site IPSEC VPN, Static Route.
Solution

Untitled.png

 

Create separate IPSEC tunnel interfaces corresponding to each WAN connection on the peer end.

 

Representation:

FGT1: Fortigate with one WAN connection.

FGT2: Fortigate with two WAN connections.

 

Tunnel corresponding to ISP2 on peer FGT1:

 

On FGT1:

 

# config vpn ipsec phase1-interface

    edit "to-ISP1"

        set interface "port1"

        set mode aggressive

        set peertype any

        set net-device disable

        set proposal aes128-sha256

        set comments "VPN: to-ISP1 (Created by VPN wizard)"

        set dhgrp 2

        set remote-gw 10.47.2.106

        set psksecret ENC xxxxxx

 

Tunnel corresponding to ISP2 on peer FGT2:

 

# config vpn ipsec phase1-interface

    edit "to-ISP2"

        set interface "port1"

        set mode aggressive

        set peertype any

        set net-device disable

        set proposal aes128-sha256

        set comments "VPN: to-ISP2 (Created by VPN wizard)"

        set dhgrp 2

        set nattraversal disable

        set remote-gw 10.47.18.106

        set psksecret ENC xxxxxxxxxx

 

Note.

Phase2 and Firewall policies are configured accordingly.

 

- After the above configs and still on FGT1, configure the static route as per requirement.

 

Note.

The config below explains the route to the same specific destination on peer FGT2 but the ISP-2 tunnel static route is configured with an increase in the priority value which means this tunnel will act as a secondary route.

 

# config router static

    edit 7

        set dst 10.232.0.0 255.255.0.0

        set device "to-ISP1"

        set priority 10 ->Priority value is 10 (default value)

    next

        edit 8

            set dst 10.232.0.0 255.255.0.0

            set priority 20 <----- Priority value is set to '20' which is higher than the default value '10'.

            set device "to-ISP2"

 

Configuration on FGT2: (This is the FortiGate with two or more ISPs).

 

# config vpn ipsec phase1-interface

    edit "ISP1 tunnel"

        set interface "port1"

        set mode aggressive

        set peertype any

        set net-device disable

        set proposal aes128-sha256

        set dhgrp 2

        set remote-gw 10.47.19.94

        set psksecret ENC xxxxxxx

 

# config vpn ipsec phase1-interface

    edit "ISP2 tunnel"

        set interface "port3"

        set mode aggressive

        set peertype any

        set net-device disable

        set proposal aes128-sha256

        set dhgrp 2

        set nattraversal disable

        set remote-gw 10.47.19.94

        set psksecret ENC xxxxxxx

 

Similarly, firewall policies and phase2 are configured accordingly.

Static routes are to be created for each tunnel as configured on FGT1,

 

edit 7

    set device "ISP1 tunnel"

    set dst 10.213.0.0 255.255.0.0

    set priority 10 ->Priority value is 10 (default value)

next

    edit 5

        set priority 20 <----- To be treated as a secondary tunnel.

        set device "ISP2 tunnel"

        set dst 10.213.0.0 255.255.0.0

    next

 

Note.

On FGT1 and FGT2 it will show both the tunnels to be active but only the primary tunnel will be handling the traffic as it has default priority '10', also only when the primary tunnel fails the traffic will be handled by the secondary tunnel.

 

- Both routes will be active on the routing table as well.

- This method using IKEV1 mode: is aggressive but this setup can be done using IKEv2 network overlay ID.

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-VPN-Site-to-Site-between/...