- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSEC VPN - Remote Site with dual WAN (reduntant ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC VPN - Remote Site with dual WAN (reduntant modem) - to 110C HA using Dual WAN and Policy Route
Yes, a very verbose title!
I have a 110C HA A-A Cluster with dual ISP' s 1 for VPN and the other for Surfing.
All IPSEC vpn tunnels are in Interface mode.
I' ve configured a modem on a new 40C to dial out on WAN1 failure and create a IPSEC VPN tunnel.
My problem is, my 110C HA is configured using policy routes and depending on the order of policies, the traffic is forced through the first matched rule.
Can anyone give me advice how to work around this?
-Richard
FGT110Cx2 HA A-P - 4.2.11
FGT 80C,60B,50B x 3,FWF50B - 4.2.11
FGT50B - 4.3.3
FGT40C x 2 - 4.3.7
FAMS
-Richard FGT110Cx2 HA A-P - 4.2.11 FGT 80C,60B,50B x 3,FWF50B - 4.2.11
FGT50B - 4.3.3 FGT40C x 2 - 4.3.7 FAMS
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain your problem clearly. Are you using a redundant modem to backup one of the ISP1 connection only ? and expecting PBR to work for the other ISP2 connection?
A snippet of your PBR and static routing information or example could be beneficial.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
110C - Hub & Spoke IPSEC vpn (interface mode tunnels)
- 2 ISP' s, 1 is fibre for VPN tunnels and the 2nd is DSL for surfing
- In order to split the traffic for surfing I had to use PBR' s.
- I have a PBR for my vpn tunnels so any traffic from inside the branch is passed through the vpn interface then I create a PBR for each service I want to go out my DSL for surfing.
40C - Remote Branch
- This remote branch is in Surrey, BC and I' ve had horrible ISP service from the local cable provider. They' re blaming it on " crack heads" climbing the towers to steal the copper wire... I setup a Huawei 4G modem as a redundant backup to WAN1. If WAN1 goes down, the 4G modem should dial out, create a VPN connection to the 110C and start passing citrix and email etc, to the staff.
Now, what I' ve done is setup the 40C @ home, in testing I found that the PBR was still trying to push packets out through the VPN interface that was down. It' d be nice if PBR was smart enough to know if an interface was working or not...
Static Routes
edit 18
set device " VPN_SUR_4G_STA"
set distance 100
set dst 192.168.100.0 255.255.255.0
set priority 10
set weight 50
next
edit 21
set device " NS_VPN_TEST"
set distance 100
set dst 192.168.100.0 255.255.255.0
set weight 50
next
PBR
edit 23
set input-device " port1"
set src 192.168.30.0 255.255.255.0
set dst 192.168.100.0 255.255.255.0
set gateway 10.200.200.50
set output-device " NS_VPN_TEST"
next
edit 20
set input-device " port1"
set src 192.168.30.0 255.255.255.0
set dst 192.168.100.0 255.255.255.0
set gateway 10.200.200.38
set output-device " VPN_SUR_4G_STA"
next
-Richard
FGT110Cx2 HA A-P - 4.2.11
FGT 80C,60B,50B x 3,FWF50B - 4.2.11
FGT50B - 4.3.3
FGT40C x 2 - 4.3.7
FAMS
-Richard FGT110Cx2 HA A-P - 4.2.11 FGT 80C,60B,50B x 3,FWF50B - 4.2.11
FGT50B - 4.3.3 FGT40C x 2 - 4.3.7 FAMS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
I also use the dual wan, but without the PBR, just static routes.
(VPN iterface mode)
http://support.fortinet.com/forum/tm.asp?m=84932&p=2&tmode=1&smode=1
Bye
FGT 620B HA A-P 4.2.11
FGT 111C HA A-P 4.2.11
FGT 50B, 60C, 80C 4.2.11
FGT 50B, 80C 4.3.7
FGT 620B HA A-P 4.2.11 FGT 111C HA A-P 4.2.11 FGT 50B, 60C, 80C 4.2.11
FGT 50B, 80C 4.3.7
Related Posts
- access problems towards vpn s2s 223 Views
- Policy based routing to IPsec tunnel 208 Views
- Issues with Firewall Policies for RDP... 453 Views
- FortiGate SSL VPN 259 Views
- Fortigate with Mikrotik Site to site... 462 Views
Labels
-
FortiGate
6,588 -
FortiClient
1,313 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
SNMP
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.