This is what I have:
Fortigate on Site with static WAN IP
Fortigate on other Side whout static WAN IP
What I need:
redundant IPSec Tunnel between those two FGT
What I tried:
1) S2S with ddns on one site. Does not work because S2S by default is negotiated by both sides but since other side is not allways online and has no static ip this would create dead ends on one the side with static ip. Disabling p1 autonegotiation on that side prevents that but unfortunately fortinet failed here because if you disable p1 autonegotation then also the ddns remote gw is no longer updated. This means the tunnel would work until the next ip change on the dynamic side and then stop working. No Workaround for that. So cannot use S2S
2) Dialups with SD-WAN VPN Zone. Does not have the problems mentioned above because a dial up on the site that is dialled in does not have a remote gw set. Unfortunately this also does not work because Fortinet failed with the SDWAN Implementation of dial up vpn which means SDWAN cannot correctly determine if a dialup is online or offline and due to that fails to change the member when one IPSec goes down and the other is up. There is no workaround for that. So cannot use it.
3) Dialups without SD-WAN VPN Zone. Needs two Dialups in the policy and redundant static routing. That would be fine but unfortunately Fortinet failed the same way as in 2) with their routing daemon in FortiOS. It also cannot detect the correct link status of dialup vpns and due to that fails to bring up the correct route and take down the other. At least here is a workaround: it will bring up the other route when you deactivate the existing one.
This is rather annoying bacause that ways it is redundant but always requires manual intervention on one side.
I feel rather frustrated about such bugs in hardware/software sold for such prices :(
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams