Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jorisboth
New Contributor

Redundant IPSec VPN Tunnel setup

A customer of mine has got two seperate internet connections for redundancy, both fiber (one 50mbit, one 10mbit). We've placed two 100D's for routing and they now want redundancy on the IPSec VPN tunnel that goes to our datacenter (which also has two 100D's.

The internet redundancy itself is configured with two static routes for 0.0.0.0/0 to the gateway of the provider with a lower priority for the 50mbit line, this works as is.

I thought to do the same with the IPSec tunnels, so I created two tunnels, one for each provider. Below are the details:

Tunnel 1:

Name: CBB-Tele2 Local IP: 87.213.15.74 Remote GW: 212.114.98.85 Outgoing Interface: WAN_Tele2

Tunnel 2: Name: CBB-KPN Local IP: 89.255.49.166 Remote GW: 212.114.98.66 Outgoing interface: WAN_KPN

I’ve created two routes for the remote subnet and given them the correct priorities so that the Tele2 line is used as a primary interface.

I’ve triple checked the Phase 1 and 2 settings on both ends, there are correct.

Now for the strange part. When the Tele2 line is UP, the KPN IPSec tunnel won’t come UP. I’ve checked the log and the following error messages come up:

logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=212.114.98.85 locip=89.255.49.166 remport=500 locport=500 outintf="WAN_KPN" cookies="da5a6859015431c0/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"

As you can see, the fortigate tries to connect to the Remote GW of the Tele2 interface over the KPN line, which isn’t going to work.

Short after that, I get the following log entry:

logdesc="progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=212.114.98.66 locip=89.255.49.166 remport=500 locport=500 outintf="WAN_KPN" cookies="c961a8fb7f030cd5/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="CBB-KPN" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK

This seems to be OK, but a Phase 2 is never initialized. Instead it just shows the first error message again (and then the second and so on).

As soon as I bring the Tele2 interface back up, the IPSec tunnel for the Tele2 line comes online and everything is working again.

I’ve also tried connecting both of the IPSec tunnels to the same remote GW, this didn’t work as well. Both of the IPSec Remote GW IP addresses are on the WAN interface of my firewall in the datacenter.

How can I fix this issue? What is the correct configuration for such a setup?

 

 

 

 

 

1 Solution
ashukla_FTNT
Staff
Staff

Create host routes (/32) for the remote gateway address though the corresponding interface. It should fix the problem.

Otherwise you will have to give same priority to both default route so that both remain active and the firewall can reach the remote gateway through the correct interface.

You can control the vpn traffic with changing the priority for the remote protected network route.

 

In your current setup for vpn negotiation when firewall tries to look for a route for remote gateway address it is not available through the second ISP.

View solution in original post

1 REPLY 1
ashukla_FTNT
Staff
Staff

Create host routes (/32) for the remote gateway address though the corresponding interface. It should fix the problem.

Otherwise you will have to give same priority to both default route so that both remain active and the firewall can reach the remote gateway through the correct interface.

You can control the vpn traffic with changing the priority for the remote protected network route.

 

In your current setup for vpn negotiation when firewall tries to look for a route for remote gateway address it is not available through the second ISP.