I have a FG60D in a data center and a FWF30D at an office with 1) Cable internet - static IP and 2) DSL internet - Dynamic IP (using LAN4 as WAN2). The goal is to start with a P2P IPSec VPN connection between the data center and the office over cable internet. If the cable drops I want the DSL to take over and make a VPN connection to the same FG60D at the data center. Wan failover setup, P2P VPN and general routing I am OK with.
I am pretty sure I can do this with both connections active and just route the data over the preferred link, then the secondary link by adjusting the routing distance. BUT, I have been told they don't want the DSL active until the cable internet fails. I think that might be over complicating it a bit...
Any thoughts or direction from the community as to the process of making the second VPN connection connect back to the data center and route traffic while the primary VPN connection is down?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
lrob wrote:Create both tunnels by default. Cable > DC and DSL > DC. Set two routes (cable with priority) for datacenter network using the tunnels Cable tunnel > DC priority 10 DSL tunnel > DC priority 15 Sit back and drink scotch while it works.
I have a FG60D in a data center and a FWF30D at an office with 1) Cable internet - static IP and 2) DSL internet - Dynamic IP (using LAN4 as WAN2). The goal is to start with a P2P IPSec VPN connection between the data center and the office over cable internet. If the cable drops I want the DSL to take over and make a VPN connection to the same FG60D at the data center. Wan failover setup, P2P VPN and general routing I am OK with. I am pretty sure I can do this with both connections active and just route the data over the preferred link, then the secondary link by adjusting the routing distance. BUT, I have been told they don't want the DSL active until the cable internet fails. I think that might be over complicating it a bit... Any thoughts or direction from the community as to the process of making the second VPN connection connect back to the data center and route traffic while the primary VPN connection is down?
Mike Pruett
Create two interface based vpn (lets say name as cable and dsl)
Now under dsl vpn phase 1 setting:
Config vpn ike phase1-interface
edit dsl
set monitor cable <name of other phase 1 to be monitored>
Make sure dpd is enabled.
The backup vpn will monitor the primary vpn and only when primary vpn is marked down by dpd the second one will start negotiation.
Once the primary vpn is up again, you can set the hold down time to do the failback to primary:
monitor-hold-down-delay <in seconds, Range: 0 to 31 536 000 seconds)
Hope this meets your requirement.
Just to clarify:
The 'monitoring primary VPN' is the way to go, as connecting 2 identical VPNs to the same remote gateway is not possible. It will work only if the secondary VPN connects after the primary has failed.
Routing is easier in this case, you can have both routes configured with the SAME distance and priority (the default) as only one connection will be up at any time and thus only one route showing up in the Routing Table.
Don't forget that you need 2 default routes as well, for getting to the remote gateway in the first place.
One last hint: if you put both tunnel interfaces into a zone you only have to create&maintain the policies once.
In FortiOS 5.2, this is what the 'Virtual WAN link' is meant for (more or less a config shortcut for this).
Thank you to everyone who replied. I will be working on this today and believe the suggestions will make this easy.
Please let us know how it turned out and how you configured it. Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.