Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gzarini
New Contributor

IPSEC for mpls failover.

Hi, i have a little issue on setting up my network. I have a MPLS network provided by an isp. This network has a HQ and 3 branches. On the short time we're going to move our app servers to a dc, but keep in HQ AD/DNS/Fileserver. I need to create an ipsec between branches and HQ to fordward traffic in case the mpls fails. I need to route 3 networks between each branch and HQ, here is where i have my doubts. Since i can only use static routes, i have a problem on how to handle traffic when the mpls is down. I thought about setting up a dgd on branches to check connectivity through MPLS and send traffic over vpn in case MPLS fails. I understand that what FG does when a dgd is detected is stop sending traffic through that interface. On the HQ, how can i set up a dgd on any kind of detection to check that the other side is unreachable?. I don't think i can use a dgd on HQ because i need to check that three branches are down, but only one can be unaccesible. I could really use some help.   Regards.

12 REPLIES 12
ede_pfau
Esteemed Contributor III

The remote side will always "see" the VPN being up, whether you send traffic over it (MPLS down) or not (MPLS up). So the only way I see to change routes in HQ based on events in a branch is to use a routing protocol. RIPv2, OSPF...whatever you know best or can learn quicker. Once set up it shouldn't be difficult to maintain.

 

There's a limit to usefulness for static routing or else there wouldn't be any routing protocols.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gzarini

Thanks for your help.

I thought abount using a routing protocol, in fact, i asked to my isp for implementation.

They answer it was imposibble due to company security policies.

i guess the change has to be manual.

 

Regards.

 

ede_pfau
Esteemed Contributor III

So this is now not a technical problem anymore...good luck.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors