FW1 has ISP1 connected to FW2 ISP3
FW1 has ISP2 connected to FW2 ISP3.
FW1 ISP1 and ISP2 are configured as SDWAN interfaces.
Will this design work?
SO when FW2 wants to go to FW1, how does it choose to go to FW1?
Which one will be given priority?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for contacting Fortinet support, you can refer the below KB in order to understand how to configure it.
Above documents support the way you want to configure your network.
Best Regards,
Piyush
Excellent reply but I have another question.
What if:
FW1 has ISP1 connected to FW2 ISP3
FW1 has ISP2 connected to FW2 ISP3.
FW1 ISP1 and ISP2 are not SDWAN.
What will be the route selection practice then?
Hi @BusinessUser,
If you are not using SDWAN, you need to create separate static routes for each tunnel. You can give those routes and same distance but different priorities.
If you want to control what traffic should go through which tunnel, you can use policy routes.
Regards,
Thank you for contacting Fortinet support, please refer the below KB in order to understand redundant IPSec tunnel configuration.
can I piggyback and ask if this provides more granular control then just using link-monitor? I have always used link monitor for ipsec tunnels redundancy and sdwan for wan redundancy
if you are not using sdwan for the ipsec itself the answer is simple: you :)
In this cave you have to have redundant routing with prio and distance set the way you want the VPNs to be used. It will then primarily use the one that has the lowest routing prio. If they have the same prio it will chose the lowest distance. If that tunnel goes down it will switch over to the other one.
Did that with numerous IPSec S2S Tunnels for years. Meanwhile I switched over to sdwan vpn because that only needs one route and sdwan does the rest then ;)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
oh probably I should mention that sdwan vpn was introduced with FortiOS 7.0.x. So it is not supported in older FortiOSes. Just fyi...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.