Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What do mean by default route? Are you planning on routing the branch local lan traffic across the two tunnels? Again if yes, than set /32 static route to the HQ wan1/wan2 end-points for the VPN ( IPSEC / IKE ) and then use a routing protocol ( OSPF or RIP ) and inject a default route to the branch.
At the branch you will advertise a local-LAN network(s) only and and they you control traffic with policies at branch and HQ. You can adjust what ipsec tunnel you would use by either metric/priority or even RIP offset.
Ken Felix
PCNSE
NSE
StrongSwan
traffic follows your route - with static routes - it will always use the route with the lowest prio if there is more than one route to the destination subnet or host. The route(s) to the subnet(s) at branch you want to reach from HQ refer to the corresponding ipsec tunnel interface as destination. The tunnel itself is tied to a specific wan interface. So traffic to the subnet will get ipesc encapsulated and then flow out through the wan the tunnels is tied to.
If the route with the lowest prio cannot be used because gateway is not available e.g. the FGT will use the one with the next lower prio. if there is no other route available it will state "no route to host".
I do that with our branches this way:
I have two ipsec tunnels to the branch - each using a different wan at HQ and Branch
And I have two routes with different prio for every subnet I want to access at Branch.
FGT then will alays use the route with lowest prio and if that is down it will be deleted and the other one is used (needs a few seconds to change). Once the first one comes back up routing will switch back again.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
yes it will as vpn2 is tied to the wan. Packets over vpn2 will leave through the wan the vpn2 is tied to at HQ and will go to the wan vpn2 is tied to at branch (as that is the remote gateway).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
yes it does. You tied VPN2 to WAN2 so the FGT knows that ipsec packets for or from VPN2 have to go via WAN2.
WAN2 does not need to know WAN1 at branch because VPN2 at HQ knows that its opposite end (i.e. remote gateway in the ipsec tunnel settings) is WAN1 at branch FW.
So VPN2 at HQ will send tunnel packets to VPN2 at branch and they go out via WAN2 at HQ and will reach branch via branch WAN1.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
yes it does. You tied VPN2 to WAN2 so the FGT knows that ipsec packets for or from VPN2 have to go via WAN2.
WAN2 does not need to know WAN1 at branch because VPN2 at HQ knows that its opposite end (i.e. remote gateway in the ipsec tunnel settings) is WAN1 at branch FW.
So VPN2 at HQ will send tunnel packets to VPN2 at branch and they go out via WAN2 at HQ and will reach branch via branch WAN1.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi @sw2090,
1. I did a lab (on EVE-NG) for this case and it is exactly like you wrote. The traffic go to branch subnet (through VPN2) will go out WAN2 port. Thanks much.
2. I also test the case when I just configure one default route (through WAN1 at HQ FW). In this case, the tunnel VPN2 go down and HQ FW not forward traffic out the WAN2 port. So, Can it only create two VPN (for two WAN at HQ FW) if we configure two default route for each WAN link (maybe same distance/same priority or same distance/different priority)? Please help again.
The only way to have only one default route I know is to use sd-wan.
Then there is only one default rooute via sd-wan whilte tunnls still are tied to wan.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The only way to have only one default route I know is to use sd-wan.
ECMP would be an option that is support and will require few little effort to setup.
Ken Felix
PCNSE
NSE
StrongSwan
sw2090 wrote:The only way to have only one default route I know is to use sd-wan.
Then there is only one default rooute via sd-wan whilte tunnls still are tied to wan.
Hi,
this is not quite true - see. my problem with SD-WAN and two IPsec tunel from branch to hq: https://forum.fortinet.com/tm.aspx?m=181462 Of course I have no idea which version of FortiOS "downlinkvip" is using. My problem was 6.2.2 and 6.2.3
Jirka
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.