Can anybody explain to me how should I build backup IPSEC interface? Found articles about how to configure fortigate with to ISPs, but no one about second fortigate with only one ISP. Should I configure ipsec as a dialup user? Because I cant configure second tunnel with the same remote policies...
The key thing here is the routing. With OSPF the routing will be done automatically for you, but just having one site you can easily get away with configuring the routing manually.
One thing I would recommend looking into that the cookbook doesn't mention is the use of zones. Before you create the policies for the VPNs, create a zone and put both VPN interfaces in it. Now you only need to create policy from internal > VPN-zone and VPN-zone > internal (rather than creating two separate policies for each VPN interface).
But my situation is different. Brach has two ISPs (one of them is much more expensive), headoffice has only one ISP, one WAN, that is why i have to use different way. Forti call it "Backup IPSec Interface".
Just to confirm, you'd like to setup something like this with traffic going over WAN1 in the branch office (cheap link) and only falling back to WAN2 when WAN1 is unavailable?
Ifso then the previous guide will still work. Instead for the HQ you would have two IPSEC interfaces that are configured for the same wan LINK (WAN1). Branch Office will have two IPSEC interfaces (static not dialup), each configured for a separate link (WAN1 and WAN2). Enable dead peer detection on the VPNs.
You would configure routes to prioritize WAN1 over WAN2 (using distance).
Both sides will have a VPN-zone with the two VPN interfaces as members.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.