Currently running an ADVPN (BGP) with a couple dozen spokes. All the spokes are a single WAN connection. Now one of the sites wants to add a redundant WAN connection. There are two hubs at the 'hub' so if ISP 1 at the hub goes down, the spokes failover to Hub ISP 2. On the spokes, the backup hub monitors the first hub. How can I add a 3rd advpn connection from the spoke which would use spoke WAN2 if spoke WAN1 fails?
edit "ADVPN-PRIMARY"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set remote-gw <ISP1 at HUB>
next
edit "ADVPN-BACKUP"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set remote-gw <ISP2 at HUB>
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I just assumed you were using SD-WAN since the tunnels were named ADVPN. If you are just using routes and the fact the tunnel is up/down to control the traffic, you don't have to then, but SDWAN will give you a lot more control and monitoring capabilities.
You can create the two new tunnels I mentioned but use the option "set monitor <primary tunnel name>". This will keep the tunnel down unless the primary tunnel specified goes down then it will try to build the tunnel on the secondary interface. Its a slower process then if the tunnel was always up, but should accomplish the goal.
You will need to create two more tunnels like the one you have that use:
set interface "wan2"
(or what ever the second wan port is). Then your policies will have four vpn overlay tunnels for SD-WAN rules.
Is SDWAN required on the spoke for this setup? I also don't want the backup connection to be in use unless the primary fails.
I just assumed you were using SD-WAN since the tunnels were named ADVPN. If you are just using routes and the fact the tunnel is up/down to control the traffic, you don't have to then, but SDWAN will give you a lot more control and monitoring capabilities.
You can create the two new tunnels I mentioned but use the option "set monitor <primary tunnel name>". This will keep the tunnel down unless the primary tunnel specified goes down then it will try to build the tunnel on the secondary interface. Its a slower process then if the tunnel was always up, but should accomplish the goal.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.