Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hervaltelecom
New Contributor III

Help with multiple VPN.

Hello all!

I have a question about multiple VPN e routing. It's actualy more about sugestions to improve my configurations. These are my interfaces, routing, VPN end gwdetect configuration.

 

INTERFACES:

 

config system interface edit "dmz" set vdom "root" set mode dhcp set distance 10 set allowaccess ping https ssh snmp set vlanforward enable set type physical set description "Conexão com o modem da operadora de internet secundária." set alias "VIVO 20Mbps" set snmp-index 1 set defaultgw enable set dns-server-override disable next edit "wan2" set vdom "root" set mode dhcp

set distance 5 set allowaccess ping https set vlanforward enable set type physical set description "Conexão com o modem da operadora de internet primária do local." set alias "NET 60Mbps" set snmp-index 2 set defaultgw enable set dns-server-override disable next edit "internal1" set vdom "root" set ip 10.11.3.254 255.255.255.0 set allowaccess ping https ssh snmp http fgfm set vlanforward enable set type physical set snmp-index 6 next edit "VPN" set vdom "root" set vlanforward enable set type tunnel set snmp-index 11 set interface "wan2" next edit "VPN_B" set vdom "root" set type tunnel set snmp-index 13 set interface "dmz" next end

 

ROUTING CONFIG:

 

config router static edit 1 set device "VPN" set dst 172.16.0.0 255.240.0.0 set priority 10 next edit 6 set device "VPN_B" set distance 15 set dst 172.16.0.0 255.240.0.0 set priority 15 next

end

 

VPN:

 

config vpn ipsec phase1-interface edit "VPN" set interface "wan2" set dhgrp 2 set mode aggressive set proposal aes128-sha1 set localid "id1" set npu-offload disable set remote-gw 222.222.222.222 set psksecret ENC 

ENCRIPTED PASSWORD next edit "VPN_B" set interface "dmz" set dhgrp 2 set mode aggressive set proposal aes128-sha1 set localid "id1" set npu-offload disable set remote-gw 222.222.222.222 set psksecret ENC

ENCRIPTED PASSWORD

next end config vpn ipsec phase2-interface edit "VPN" set keepalive enable set phase1name "VPN" set proposal aes128-sha1 set src-subnet 10.11.3.0 255.255.255.0 next edit "VPN_B" set keepalive enable set phase1name "VPN_B" set proposal aes128-sha1 set src-subnet 10.11.3.0 255.255.255.0 next end

 

GWDETEC:

 

config router gwdetect edit 1 set interface "wan2" set server "222.222.222.222" next end

 

This is how does my network works, primary external access (internet) goes throu WAN2 as well as the primary VPN to main office. Acess to internal stuff is controled throgh routes, this one actually:

 

set device "VPN" set dst 172.16.0.0 255.240.0.0 (is my main office internal network) set priority 10 next

 

and a mirrored one to the second VPN.

 

Brief explanation:

In the advent of the primary internet going DOWN there is a secondary VPN that is attached to the DMZ port. Its is linked to a lower capacity internet connection but it works OK! Switching between VPNs are controled trough the gwdetect. The main dificulty i have is, tho the switching from the main to the backup vpn works, my setup is having dificulty going back to the main one when it is restored. Most of the time forcing me to remove the DMZ cable.

 

Any ideas? I thought about matching my VPN distance and priorities to the interfaces distances that are linked to them. But i dont know if it could cause unknnown effects.

 

Help is appreciated.

 

Thank you!

0 REPLIES 0