This is what I have:
Fortigate on Site with static WAN IP
Fortigate on other Side whout static WAN IP
What I need:
redundant IPSec Tunnel between those two FGT
What I tried:
1) S2S with ddns on one site. Does not work because S2S by default is negotiated by both sides but since other side is not allways online and has no static ip this would create dead ends on one the side with static ip. Disabling p1 autonegotiation on that side prevents that but unfortunately fortinet failed here because if you disable p1 autonegotation then also the ddns remote gw is no longer updated. This means the tunnel would work until the next ip change on the dynamic side and then stop working. No Workaround for that. So cannot use S2S
2) Dialups with SD-WAN VPN Zone. Does not have the problems mentioned above because a dial up on the site that is dialled in does not have a remote gw set. Unfortunately this also does not work because Fortinet failed with the SDWAN Implementation of dial up vpn which means SDWAN cannot correctly determine if a dialup is online or offline and due to that fails to change the member when one IPSec goes down and the other is up. There is no workaround for that. So cannot use it.
3) Dialups without SD-WAN VPN Zone. Needs two Dialups in the policy and redundant static routing. That would be fine but unfortunately Fortinet failed the same way as in 2) with their routing daemon in FortiOS. It also cannot detect the correct link status of dialup vpns and due to that fails to bring up the correct route and take down the other. At least here is a workaround: it will bring up the other route when you deactivate the existing one.
This is rather annoying bacause that ways it is redundant but always requires manual intervention on one side.
I feel rather frustrated about such bugs in hardware/software sold for such prices :(
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thinking about it I think the root of all of this is the way FortiOS handles VPN connections:
S2S: one unique vpn interface on each side of the tunnel. So also Link status of that interface is unique and determainable.
Dialup: since it supports concurrent connections (without would be rather useless too) every dial up connection has to be enumerated as a speratate virtual interface. Since this is dynamic it cann of course not be used in the config of the FGT. So you have to point a static route or a sdwan member to the "base interface" of your dialup. So routing and sdwan can only look at the link status of that interface. Due to this I suppose that the Link status of this "base interface" of a dialup ipsec is always up and never changed.And that then would explain why sdwan and routing cannot determine which dialup tunnel interface is up and due to this do not change member or route when one goes down or up.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.