Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jvocaire
New Contributor

Dual IPSec tunnels and policy routes

I have a client that is trying to do something that I have never done before, and I cannot seem to come up with a way to make this work. The scenario is this. They have a remote branch that has two Internet connections (only two available). The first (cable) is fast, but unreliable and the second (DSL) is slow but reliable. The main site has one high speed very reliable connection. There are two tunnels, one for each connection at the branch. They would like almost all traffic to use the DSL and fail over to the cable (easy). But, they want some traffic (offsite backups) to use the cable primarily, and the DSL as backup. This is where I am running into a wall. I have a picture attached for reference, hopefully it makes more sense then the post. I have tried using policy routes on the 60D, but either I am not configuring it correctly (most likely) or it won' t work to choose which tunnel to use. Let me know what snippets of config you would like to see and I can post them. Thanks.
1 Solution
Federico_Vecchiatti
New Contributor II

I don' t know if it' s too late for an answer... In any case, policy route works on Ipsec interface if you assign an ip address to them. So in the policy routing in " Force route" you can specify the Ipsec local interface as outbound interface and the remote ipesc interface ip' s as gateway. This way the policy routing can works. Assign for example a x.y.z.w\30 to the local and remote ipsec interface, configure the firewall policy in order to allow traffic to this ip' s and it should works. Bye. Federico

View solution in original post

3 REPLIES 3
ede_pfau
SuperUser
SuperUser

Which side is the backup session initiated from? That determines on which FGT you have to change the config. Generally, a simple static route is all you need to direct traffic IF it depends on the destination address. For instance, a static route from remote to the HQ server (target_ip/32) would cause ALL traffic from branch to that server to use the interface which you specify in the route. If you want to make the routing depend on the application you can use a policy route with a specific destination port - just a port, not an application. There is currently no way to route traffic by application. This is a bit more complicated but in principle Policy routes (PBR) work over VPN tunnels just as well as over other connections. Sometimes PBR can be tricky so I prefer the simple static route if you can live with the scenario.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
jvocaire
New Contributor

The problem is there is no backup link. Both links are live all the time, and so all tunnels are live. What happens with static routes is that if I create a static route from the 60D to .4, then traffic from all of the ranges uses that route because everything ends up at .4. If I create a policy route on the 60D and say traffic from .253 to .4 should go over the fiber-cable tunnel, nothing changes and traffic still flows over the fiber-dsl tunnel. I think I am missing something, but have no idea what.
Federico_Vecchiatti
New Contributor II

I don' t know if it' s too late for an answer... In any case, policy route works on Ipsec interface if you assign an ip address to them. So in the policy routing in " Force route" you can specify the Ipsec local interface as outbound interface and the remote ipesc interface ip' s as gateway. This way the policy routing can works. Assign for example a x.y.z.w\30 to the local and remote ipsec interface, configure the firewall policy in order to allow traffic to this ip' s and it should works. Bye. Federico
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors