Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maxim_Vanichkin
New Contributor II

Created on ‎02-15-2016 10:11 AM

Backup IPSEC interface

Good morning Vietnam!

 

Can anybody explain to me how should I build backup IPSEC interface? Found articles about how to configure fortigate with to ISPs, but no one about second fortigate with only one ISP. Should I configure ipsec as a dialup user? Because I cant configure second tunnel with the same remote policies...

 

Thanking you in advance, your pal, Maxim.

6302
0 Kudos
3 REPLIES 3
neonbit
Valued Contributor

Created on ‎02-15-2016 02:01 PM

Hi Maxim,

 

Two redundant IPSEC interfaces are easy enough to setup. There's a IPSEC with OSPF cookbook available here that goes through the steps: http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

 

The key thing here is the routing. With OSPF the routing will be done automatically for you, but just having one site you can easily get away with configuring the routing manually.

 

One thing I would recommend looking into that the cookbook doesn't mention is the use of zones. Before you create the policies for the VPNs, create a zone and put both VPN interfaces in it. Now you only need to create policy from internal > VPN-zone and VPN-zone > internal (rather than creating two separate policies for each VPN interface).

 

 

 

2505
0 Kudos
Maxim_Vanichkin
New Contributor II
In response to neonbit

Created on ‎02-15-2016 06:48 PM

Hi Neonbit!

 

Thank you very much for your answer!

 

But my situation is different. Brach has two ISPs (one of them is much more expensive), headoffice has only one ISP, one WAN, that is why i have to use different way. Forti call it "Backup IPSec Interface". 

2505
0 Kudos
neonbit
Valued Contributor
In response to Maxim_Vanichkin

Created on ‎02-15-2016 08:10 PM

Hi Maxim,

 

Just to confirm, you'd like to setup something like this with traffic going over WAN1 in the branch office (cheap link) and only falling back to WAN2 when WAN1 is unavailable?

 

 

Ifso then the previous guide will still work. Instead for the HQ you would have two IPSEC interfaces that are configured for the same wan LINK (WAN1). Branch Office will have two IPSEC interfaces (static not dialup), each configured for a separate link (WAN1 and WAN2). Enable dead peer detection on the VPNs.

 

You would configure routes to prioritize WAN1 over WAN2 (using distance).

 

Both sides will have a VPN-zone with the two VPN interfaces as members.

2505
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.