Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
antwes
New Contributor

Dual VPN using independent WAN connections

Hi all,

 

On a vessel I'm working on, I've got two internet connections connected to WAN1 and WAN2. I'd like to have two VPN connections, using one of the WAN connetions each.

 

WAN1 (Production VPN, Internet access)

Fixed IP: 10.241.105.192 / 255.255.255.240
Gateway: 10.241.105.193

 

WAN2 (Development VPN)

DHCP: 94.234.190.55 / 255.255.255.240

Gateway: 94.234.190.49

 

Production VPN: Site-to-Site VPN with vessel behind NAT

Development VPN: Remote Access using FortiClient

 

I have configured Static Route as this:

antwes_0-1652686402967.png

Production VPN and general internet access for from WAN1 works as expected - But how should I get the Development VPN working on WAN2?

 

The Incoming Interface for the Development VPN is set to WAN2. I understand I need a Gateway assiociated with WAN2, so I tried to add this as a Policy Route as below, but without success.

antwes_1-1652688364948.png

I'm not sure if I'm doing the above correct?

Is there anything else I need to configure to achive functionality of Development VPN over WAN2?

 

Looking forward to any advice, thanks!

 

1 Solution
seshuganesh

Hi Team,

 

As my colleague said you need to have route towards internet for wan2 as well.

PFA

seshuganesh_0-1652693984378.png

Create one more static route, In place of interface select wan2 and in advanced settings same tab, keep priority as "1"

please check if the issue is resolved

 

View solution in original post

8 REPLIES 8
akristof
Staff
Staff

Hello,

 

Thank you for your question. If you have VPN associated with wan2, you will need to have route in routing-table to the remote-gw. And this should be enough to allow VPN to negotiate. In your case, policy-route will not work at all.

 

So if your VPN has remote-gw 1.1.1.1 you need to have route towards 1.1.1.1/32 via wan2 with correct gateway.

Adrian
antwes

Hi Adrian,

 

Many thanks for your answer.

 

It's the first time for me working with Fortigate and I'm not an IT tech really. If you have time, would you please descibe more exact what steps I need to take in order to add to the routing table? Also how to change the remote gateway of the VPN to 1.1.1.1 if that is needed too.

 

Thanks a million.

Anton

akristof

Hi,

Sure. Some links:

How to create static route

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/626338/adding-a-static-route

This is needed for VPN to know how to reach remote-gw.

For VPN info, probably this is good guide:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/276731/gateway-to-gateway-configuration

If you will have any problems, you can share example from your config and based on that we can advice.

Adrian
seshuganesh

Hi Team,

 

As my colleague said you need to have route towards internet for wan2 as well.

PFA

seshuganesh_0-1652693984378.png

Create one more static route, In place of interface select wan2 and in advanced settings same tab, keep priority as "1"

please check if the issue is resolved

 

antwes

Thanks for the explanation, this worked like a charm - Great!

 

I'm also trying to understand how to swap the internet connection to my main network (Payload-0) to be WAN1 or WAN2.

 

At the moment it is sourced from WAN1, as i understand using the policy below:

 

antwes_0-1652699965464.png

 

The above configuration with WAN1 works, but I'm trying to reconfigure the policy above for WAN2 instead which does not work?

 

Do I need to change the priority of the static routes as well?

 

Or is there anything else I need to change?

 

Thanks for your help,

Anton

 

akristof

Hi.

When traffic is entering FortiGate, if there is no DNAT, then FortiGate will check routing-table, select outgoing interface and then will check if traffic is allowed with firewall policy. So in your case, let's say that default route via wan1 has administrative distance 10. And route via wan2 has 20. If you know the concept of administrative distance then you know that lower distance wins and wan1 default route will be installed in routing-table. Now, if you want to make wan2 working, you have 3 options:

- make AD of wan2 better than wan1 and only wan2 will be used

- make AD of wan2 same as wan1, you will have 2 default routes and FortiGate will use ecmp (load-balacing)

- make AD same and use different priority. This one is used for special cases where you need to have route in routing-table but you don't want actively use it.

More info on routing behavior with different examples can be found here:

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

Adrian
seshuganesh

Yes, the one with lowest prioroty in static route will take precedence.
Lets say if you have two routes with same AD value and different priorities. The one with low priority will take precedence.

So you must have firewall policy to allow the traffic based on what is outgoing interface according to the static route priority

antwes

Thanks both of you, I'm very satisfied with the quick and correct support I've got here today.

 

My configuration is working exactly as I want it to now, after your advise. 

 

Allt the best,

Anton

Labels
Top Kudoed Authors