Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gzarini
New Contributor

IPSEC VPN for mpls failver.

Hi, i have a little issue on setting up my network.

I have a MPLS network provided by an isp. This network has a HQ and 3 branches.

On the short time we're going to move our app servers to a dc, but keep in HQ AD/DNS/Fileserver.

I need to create an ipsec between branches and HQ to fordward traffic in case the mpls fails.

I need to route 3 networks between each branch and HQ, here is where i have my doubts.

Since i can only use static routes, i have a problem on how to handle traffic when the mpls is down.

I thought about setting up a dgd on branches to check connectivity through MPLS and send traffic over vpn in case MPLS fails.

I understand that what FG does when a dgd is detected is stop sending traffic through that interface. On the HQ, how can i set up a dgd on any kind of detection to check that the other side is unreachable?.

I don't think i can use a dgd on HQ because i need to check that three branches are down, but only one can be unaccesible.

I could really use some help.

 

Regards.

2 REPLIES 2
gschmitt
Valued Contributor

Uhm I don't see the problem.

 

Make sure the Advanced Routing Feature is enabled.

Add two Static Routes. Destiation IP/Mask of the remote Subnet

Device: MPLS Connection / IPsec Tunnel

Gateway: for the MPLS Connection / IPsec Tunnel doesn't need one

Distance: MPLS: 10 / IPSec 11

 

go to Router > Static > Settings

Create two Link Health Monitors

Name: Irrelevant

Interface: MPLS / IPSec

Gateway: MPLS As needed / IPSec 0.0.0.0

 

Health Check Ping

Server: MPLS Gateway (or FGT Interface)

Check Update Routing Table when Gateway Detection Status Changes

 

gzarini

HI, thanks for the reply.

I can't do that since i only have one interface connecting to the mpls.

If i do that when one site is down, automatically the rest will lose connection.

In branches that's what i did, but in HQ, i believe the updates have to be manual. This problem solves with the implementation of a routing protocol, which i can't since my isp won't do it.

 

Regards.

Labels
Top Kudoed Authors