Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pieciaq
New Contributor III

Keep VPN IPSec tunnels up

Hi all,

 

I like to know is there possibility to keep VPN IPSec tunnels up when linked to backup interface (WAN2) and backup ISP.

I got FGT60E with WAN1 (1 ISP) and WAN2 (2 ISP - backup), to WAN1 got connected IPSec Tunnel to another FGT, and on WAN2 got connected different IPSec tunnel (needed as backup) to different location.

In Static Routes WAN1 has lower distance (8) than WAN2(10) tunnels linked to WAN2 are down, is there possibility to make them always up? Of course WAN2 interface is up.

I got enabled Auto-negotiate and Autokey Keep Alive.

When WAN1 go down and WAN2 starting to pass traffic tunnels get up and send data with no problem.

 

Pieciaq
1 Solution
pminarik
Staff
Staff

Hi pieciaq,

If WAN2 route has worse admin distance, its route will not be active => IPsec tunnel on WAN2 will not have a route to the peer => tunnel will stay down.
You need the admin distances to be equal so that both routes are available. (but set WAN1's priority to a better value so that the primary WAN1 is used for all outgoing internet traffic, unless overridden by policy routes or SD-WAN rules)

[ test signature, please ignore ]

View solution in original post

1 REPLY 1
pminarik
Staff
Staff

Hi pieciaq,

If WAN2 route has worse admin distance, its route will not be active => IPsec tunnel on WAN2 will not have a route to the peer => tunnel will stay down.
You need the admin distances to be equal so that both routes are available. (but set WAN1's priority to a better value so that the primary WAN1 is used for all outgoing internet traffic, unless overridden by policy routes or SD-WAN rules)

[ test signature, please ignore ]