Hi there,
I'm still in the learning process of fortigate. I'm trying to setup a backup VPN tunnel. Now, I have a primary vpn tunnel from site A firewall to site B firewall. I will need a secondary vpn tunnel from site C firewall to site B firewall to turn on automatically whenever the primary connection is down. Both site A&C have 90D, site B has 60E. I know I'm supposed to setup some lower value in the setting, but not sure where I need to do it? phase 1 or 2 parameters? Or security policy? priority value of static route?
Also correct me if I'm wrong for the settings I need to do. 1. Using vpn wizard create vpn tunnel 2. setup ipv4 policy 3. setup security policy 4. setup static route
Thank you for your time and advice. Really appreciate it!!
Solved! Go to Solution.
Any metric option on static routes would work including priority. With priority, both routes shows up in the routing table but if a session is initiated from inside of B it would take the route with a lower priority-number (0 by default). Since the other one is still in the table, sessions coming in the interface (VPN) with a higher priority-number are still legit and the returning packets still go out through the same interface (VPN) they came in.
It's not so easy as you're thinking because it's not a simple backup tunnel to the primary one since your second tunnel come from site C. How can site A get to site C to get to the second tunnel? Another VPN?
If you use static routes, you need to use link-monitor to remove those toward the primary tunnel when it goes down. For the secondary route, you can use admin distance or other metrics to let them "float".
But routing protocols are designed for that purpose.
Hi Toshi,
Thank you for the reply. I don't really need connection between site A and C. We setup site C as internet backup for site A. Now, all the ingress traffic go to site A. When site A down, site C will handle all ingress traffic. Then at the same time, the secondary vpn tunnel should be activated. Hope it makes more sense after explanation.
I'm thinking to have config of from C to B same as from A to B. Then setup a bigger priority value of B to C than B to A in static route ->advanced option. When site A internet works, there is no traffic from B to C. When site A internet down (site C is up), there is traffic from B to C (no traffic from B to A). Will it work? Do I still need link monitoring?
Thank you for your time!!
Still not clear about the roles of those sites&VPNs. What do you mean by "ingress" traffic? Is it traffic from the internet into your network consisting three locations? In that case, do the public IPs to enter into your network move/change from A to C by DDNS?
If B is the main location and A and C are just B's internet path options, B just needs to decide which way to go. You don't have to "activate" VPN and you can keep the tunnel up all the time. You just don't route to it when you don't need it. I still recommend to use link-monitor at B to detect the internet path over the VPN down.
Hi Toshi,
Sorry about the confusion. Both site A and C are our main route. Normally, all ingress traffic goes through site A and egress traffic goes through site C. Whenever site A internet is down, site C will taking care of ingress and egress traffic. The site A and site C connect to each other by vMPLS (we do have more sites connect to A and C). Site B is not part of WAN, no vMPLS connection with other sites. So we need to setup vpn tunnel in order to access the site B.
No confusion, but just lack of information. As the result, my last comment still applies, because it's all about site B's internet paths.
Hi Toshi,
Thank you!!
If B is the main location and A and C are just B's internet path options, B just needs to decide which way to go. You don't have to "activate" VPN and you can keep the tunnel up all the time. You just don't route to it when you don't need it. I still recommend to use link-monitor at B to detect the internet path over the VPN down.
In order to do this, will my solution work? Under static route -> advanced option -> priority, I setup larger number from B to C than from B to A (smaller number has higher priority), and setup link monitor between B and A. Whenever the connection between B and A down, the route B to C will kick in.
Any metric option on static routes would work including priority. With priority, both routes shows up in the routing table but if a session is initiated from inside of B it would take the route with a lower priority-number (0 by default). Since the other one is still in the table, sessions coming in the interface (VPN) with a higher priority-number are still legit and the returning packets still go out through the same interface (VPN) they came in.
Thank you for your time and answer, Toshi. I will play with it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.