Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortDoog
New Contributor

Traffic routing between IPSec Tunnels

Greetings.

 

This is quite a newbie question, please, I implore your patience, as I have been using this brand very recently.

 

On our office, we have several ipsec tunnels for several partners.

On this particular Fortigate 200F, we have 2 wans, a main and a secondary.

Usually we have static routing to force most of the traffic via the main, and if the partner´s tunnel goes down, it will go via the secondary.

 

So far, it works as expected (we want all the traffic to go through the main, and only go to the secondary if the main goes down, on either side).

 

But, I´m trying to find out how to make this more "reliable", specially in the odd case of only losing communication on the tunnel but the tunnel itself does not go down or takes some time to do so.

This particular case does happen, for example, when connected to AWS tunnels. They take some time to go up or down, and I would like to device a way for our side to detect this faster and make the switch over automatically.

Or, in the odd case that the tunnel stays up but no communication is coming through, to try the secondary and stay on it until the main comes back.

 

So far, the only fix that I have found is to disable the static route for the main tunnel and wait until the partner´s email me saying that the main tunnel "should" be ok. As you can see, it is troublesome this method.

 

I would like to implement something more automatic without forcing too much change, if any, on the current configuration (to avoid outages and headaches). I was thinking on RIP, but don´t know if there are other options using healthchecks or other functions that I have not seen yet.

 

Cheers.

"Well, hello there"
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Hi,

 

You can enable dpd detection for getting the tunnel turned down in a minute(defaults) instead of waiting for timeout, please see Technical Tip: Configuring DPD (dead peer detectio... - Fortinet Community

 

Best regards,

Jin

Toshi_Esumi
Esteemed Contributor II

One of our customers uses BGP from their two AWS appearances to two our network entry points, where their internal network resides, for redundancy.

 

Toshi

Avihaa
New Contributor

A traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define a traffic selector within a specific route-based VPN, which can result in multiple Phase 2 IPsec security associations (SAs).