Hi all,

We recently acquired another company that is running Fortigate 80E's across two sites.  We are a Cisco shop and have zero experience with Fortinet products...Any help would be appreciated!

We have dropped an ISR router in site A and have it's internal interface configured on the LAN subnet.  The external interface is connected to our WAN.  I added a static route for the WAN network on site A's 80E that is pointing to the ISR interface on the site A LAN subnet.  Everything is working as expected.

I now need to get site B communicating to the same WAN subnet that site A can talk to.  After poking around in the IPsec config page, the existing addresses/address groups, and existing IPv4 policy, it appears that the VPN and the associated policies are configured with the address groups that contain the site A and site B LAN address objects.  I believe I should be able to just create a LAN address object for my WAN subnet and then add it to the site A address groups to get communication working between site B and the WAN subnet.  

My main concern is that the existing tunnel stay active.  Both sites are primary field workers who are in and out of the office - getting someone onsite to help will be difficult if the tunnel were to drop.  Would adding the address objects to the address groups break the tunnel?  I read about adding a new phase 2 - would that be a better solution?  Also, each Fortigate can accept Fortinet client connections directly.  I'm assuming that if the tunnel does go down, that I will still be able to access the Fortigates over those vpn clients...correct?  I'm sure this is basic Fortinet stuff, but I'm just trying to avoid any headaches.

Thanks in advance.