Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
enrico_l
New Contributor

Configuration Help IPSEC on secondary WAN interface

Hi,

I need some help for configuring an IPSec VPN tunnel on a Fortigate that has WAN1 and WAN2, configured as secondary with a bigger distance value.
We need to use WAN2 to configure a site-to-site ipsec, but I'm struggling with let it work; before adding the second connection on WAN2, it was configured on WAN1 without problem.

 

Any tips for me for the configuration?

Thanks!

7 REPLIES 7
hbac
Staff
Staff

Hi @enrico_l,

 

I believe you created a new tunnel for WAN2 but it is not coming up? A bigger distance value is controlled by the static route. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/432685/manual-redundant-vpn-...

 

Regards, 

enrico_l
New Contributor

No, we have to different internet connections, and we want to use primary for users and normal traffic, the secondary to another company site to share local resources

hbac

@enrico_l,

 

Did you create a tunnel for WAN2 for sharing resources? 

 

You need to make sure both WAN interfaces appears in the routing table. You can run this command to check "get router info routing-table all". 

 

Regards, 

enrico_l
New Contributor

 

fortigateroutingall.jpg

I did create the tunnel for Wan2 to the remote gw ( the one in yellow xxx.xxx.. )

hbac

@enrico_l,

 

You don't have a default route via wan2 which is why the tunnel is not working. The IPsec tunnel configured on wan2 won't be able to negotiated if there is no default route via wan2. 

 

You need to have a default route for wan2 with the same administrative distance as wan1. You can give it a lower priority if you want it to be secondary. The administrative distance of your wan1 is 5. 

 

Regards, 

nweckel

Where is the problem? The new IPsec configuration? Phase1 is not coming up? The traffic is not correctly routed? Allowing traffic from companyA to companyB (so traffic from Wan1 IPsec to Wan2 IPsec)?

enrico_l

phase1 not coming up

Labels
Top Kudoed Authors