In cases with multiple IPsec tunnels for failover purposes, FortiGate has multiple options to perform failover.

1. Use the same distance value for multiple IPsec tunnels and keep different priorities for static routes associated with tunnels.

Example: 

In the above diagram, the static routes on FG-1 have to be set up with the same distance for both VPN-1 and VPN-2, and different priorities. The route with the lowest priority will be preferred.

In this scenario both the routes and tunnel will be in active state.

2. Using a set monitor option under the IPsec phase-1 interface:

In this scenario, only the VPN-1 will be in an active state and VPN-2 will be in a down state. As soon as the VPN-1 goes down the VPN-2 will become active.

3. Create IPsec tunnels with SD-WAN:

Go to the SD-WAN zone, add a member, then select the + VPN icon. The wizard page will open and configure the IPsec tunnels like a normal wizard.

For this failover, the configuration should have a proper SD-WAN SLA setup with the update static route option enabled.

This is the recommended setup from the FortiGate end.

If the tunnel goes down, the route will be removed from the routing table and traffic will shift to the secondary tunnel with an active route.

Problems arise if the FortiGate sends traffic via VPN-1 as preferred, but the remote end replies to the other tunnel instead through VPN-2.

If the tunnel is with AWS, there is no option to set up tunnels as either the primary or secondary on the remote end.

In this case, it is only possible to make a tunnel preferred based on best routes.

Make sure the primary tunnel is always in sync with the remote end gateway (both ends should keep VPN-1 as the primary).

Related article:

Technical Tip: IPsec VPN: Site-to-Site tunnel monitor