FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pcavalcante
Staff
Staff
Article Id 273840
Description

This article describes the process of configuring an IPsec VPN as a failover route to maintain uninterrupted internet access in the event of a primary ISP connection failure.

 

The scenario involves two sites, Site1 and Site2, where the primary objective is to establish an IPsec VPN tunnel through Site2 to ensure continuous connectivity for critical operations, even during network interruptions.

Scope

Imagine a scenario where there are two sites, Site1 and Site2. To ensure continuous internet access at Site1, it is wanted to establish an IPsec VPN tunnel as a failover route through Site2 in case Site1's primary ISP link goes down. This configuration helps maintain seamless connectivity even in the face of network interruptions.

 

Scenario.png

Solution

Step 1: Configure a Dummy Network Between the Peers (Performed on Both Sites).

Begin by creating a dummy network between Site1 and Site2. This is a fundamental step for routing internet traffic through the IPsec tunnel.

 

On Site1:

  1. Navigate to Network -> Interfaces.
  2. Edit the PORT used for the IPsec interface.
  3. Set a dummy network IP Address, such as 10.0.0.1/32.

 Dummy1.png

 

On Site2:

Perform identical steps as Site1 but assign the IP Address as 10.0.0.2/32.

 

Step 2: Adjust IPsec Configuration (Perform on Both Sites).

Update the IPsec Phase 2 selectors to permit all traffic through the IPsec tunnel. Modify the Local and Remote Addresses to 0.0.0.0/0.0.0.0.

 

IPSEC.png

 

Step 3: Configure SD-WAN (Perform on Site1).

  1. Create an SD-WAN Zone including the WAN and IPsec interfaces:
    • Create an SD-WAN zone to encompass both the WAN and IPsec interfaces. This is essential for traffic management and failover.
    • Go to Network -> SD-WAN.
    • Select Create New -> SD-WAN Member.
    • Select the WAN interface.
    • Select OK.
    • Create another member for the IPsec interface following the same steps.

 

Members.png

 

Step 4: Create 2 SD-WAN Rules (Perform on Site1).

Establish two SD-WAN rules to effectively manage traffic.

 

Rule 1 - IPsec Traffic:

This rule directs IPsec traffic appropriately.

  1. Navigate to Network -> SD-WAN.
  2. Select SD-WAN Rules.
  3. Select Create New.
  4. Add the Local Subnet object as the Source Address.
  5. Add the Destination Subnet object as the Destination Address.
  6. Choose Manual for Outgoing interfaces.
  7. Add the IPsec interface to Interface Preferences.
  8. Select OK.

 IPSEC Traffic.png

 

Rule 2 - Default Traffic:

This rule manages all other traffic.

  1. Navigate to Network -> SD-WAN.
  2. Select SD-WAN Rules.
  3. Select Create New.
  4. Add the 'all' object as the Source Address.
  5. Add the 'all' object as the Destination Address.
  6. Choose Manual for Outgoing interfaces.
  7. Add the WAN interface and then the IPsec interface (in this order) to Interface Preferences.
  8. Select OK.

 

Defaul Traffic.png

 

Step 5: Setup Performance SLAs to Enable Traffic Failover.


SLA.png