Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KVN001
New Contributor

Created on ‎11-09-2022 12:44 AM

Accessing a Server behind IPSec VPN Tunnel

Hi Community,

 

I have following situation: I have two sites connected with an IPSec VPN tunnel. The tunnel is running and I can reach the servers of the other site without any problems from the internal network. So far so good.

 

Normally, my servers run in Site A. When I connect to the services there with an end device over the Internet, it works fine. Now I have set up the same servers in Site B as Hyper-V failover (with different IP addresses). What I want to achieve is: Should the servers in Site A fail and the failover servers in Site B start. The firewall in Site A should not send the packets to the local server (which is not running), but to the servers in Site B via the VPN tunnel (like in the screenshot).

 

Can anyone tell me, is this even possible?

On Site A I tried to change the Policies from Local Server VLAN to the IPSec Tunnel and reconfigured the VIPs, but the packets doesn't seem to arrive at the Site B Firewall (according to the logs).

 

I would be glad if anyone could tell me if this scenario is even possible or not.

 

 

Thanks a lot for your help guys :)

Capture.PNG

Labels:
530
0 Kudos
1 REPLY 1
sidewaysguy14
Staff
Staff

Created on ‎11-09-2022 09:53 AM

Hello there KVN001, 

 

Top of mind, I'd probably approach this by using public DNS failover, so that when the servers are live in Site B the  user traffic is processed by the Site B firewall.  This would probably maintain consistency for the user experience instead of adding latency with the traffic traversing the IPSEC tunnel.  This would also allow for Site A to be completely down, letting Site B take over gracefully both on the server and network side.  This type of failover is available through most major DNS providers.  FortGLSB could also be leveraged for this approach and FortiADC could also handle this from a loadbalancing perspective. 

 

Now if there is a requirement for the traffic to always go through Site A, then I'd suggest looking at using a Virtual server load balancing scenario.  In this scenario, you could use the static balancing method with a health check against the servers so if the servers are down in Site A, the servers in Site B would start receiving the traffic.  You can check this out further at https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/713497/virtual-server-load-b... 

 

Depending on the traffic/server load, FortiADC may be the correct solution to manage the scenario.  I hope this gives you a couple of things to consider and start with. 

 

 

I hope that gives a couple of approaches to this

Secure all the things!
507
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.