Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Branch site internet over ipsec vpn to HQ.

Looking for some recommendation about the best way to deploy a couple of 60F 7.2.7 where they each have a single ISP and they want the branch to use a vpn to HQ for internet.

I believe this could be done with static routes using different priority(or would it be ad distance), so once the vpn tunnel is established the route pointing to the tunnel becomes available. Lower value priority would be on the vpn tunnel route. I suppose I could also only do a /32 route for the remote vpn concentrator, but wanted to keep the internet as an option that I likely will control with firewall policy.

I also believe this could be done by just making a vpn tunnel and putting it in an sdwan zone. I'm not positive how sd-wan policies and routes would be setup here to make sure the vpn tunnel can stay established and be used as an internet egress while also keeping users from getting internet unless the tunnel is up.

For reference the current setup is using two watchguards and bovpn with any ip being specified as the remote network at the branch fw.

Any recommendations for the best way to accomplish this is most appreciated.

The key, which is not so clear in the KB @abarushka referred to, is the "1) ....all other traffic besides VPN will go through VPN tunnel". This means establishing the VPN tunnel can not rely on the default route toward the wan interface. You have to have a specific route (like a /32 IP or DDNS name) toward the wan for the peer public IP. If you have two default routes to VPN and to wan, as soon as the VPN comes up, the FGT would lose the route to the peer public IP via wan. Changing admin distance or priority or anything wouldn't let you avoid that.



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors