Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Accessing a Server behind IPSec VPN Tunnel

Hi Community,


I have following situation: I have two sites connected with an IPSec VPN tunnel. The tunnel is running and I can reach the servers of the other site without any problems from the internal network. So far so good.


Normally, my servers run in Site A. When I connect to the services there with an end device over the Internet, it works fine. Now I have set up the same servers in Site B as Hyper-V failover (with different IP addresses). What I want to achieve is: Should the servers in Site A fail and the failover servers in Site B start. The firewall in Site A should not send the packets to the local server (which is not running), but to the servers in Site B via the VPN tunnel (like in the screenshot).


Can anyone tell me, is this even possible?

On Site A I tried to change the Policies from Local Server VLAN to the IPSec Tunnel and reconfigured the VIPs, but the packets doesn't seem to arrive at the Site B Firewall (according to the logs).


I would be glad if anyone could tell me if this scenario is even possible or not.



Thanks a lot for your help guys :)



Hello there KVN001, 


Top of mind, I'd probably approach this by using public DNS failover, so that when the servers are live in Site B the  user traffic is processed by the Site B firewall.  This would probably maintain consistency for the user experience instead of adding latency with the traffic traversing the IPSEC tunnel.  This would also allow for Site A to be completely down, letting Site B take over gracefully both on the server and network side.  This type of failover is available through most major DNS providers.  FortGLSB could also be leveraged for this approach and FortiADC could also handle this from a loadbalancing perspective. 


Now if there is a requirement for the traffic to always go through Site A, then I'd suggest looking at using a Virtual server load balancing scenario.  In this scenario, you could use the static balancing method with a health check against the servers so if the servers are down in Site A, the servers in Site B would start receiving the traffic.  You can check this out further at 


Depending on the traffic/server load, FortiADC may be the correct solution to manage the scenario.  I hope this gives you a couple of things to consider and start with. 



I hope that gives a couple of approaches to this

Secure all the things!
Top Kudoed Authors