Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gabishi94
New Contributor

Idea for VPN S2S design - 3 ISP to 2 ISP

Hi,

I need some ideas/help on how to create redundant SITE1-HQ VPN S2S connections to provide seamless failover in case of failure of any ISP link.

Here is a simple diagram:

FGT-CISCO-SIMPLE.png

 

 

 

So there are two Cisco routers at the headquarters, each has its own ISP links, and there is an HSRP between these routers.

RVPN1 is the primary router, which has all VPNs active, and RVPN2 is the backup, where the tunnels are disabled, but are ready to go if RVPN1 fails.

All VPNs are created with crypto maps - IKEv2+IPSEC

 

On the other side, we have a site with 2xFortigate 200F soft:7.2.5, 3 Internet connections - each using different media: 1 fiber, 1 copper and 1 radio.

We need to connect Site_1 to HQ in such a way that in case of internet problems on any side there will be a smooth failover.

 

 

 

I have now set up 6 VPNs on the FortiGate: FIBER -> RVPN1-2, COPPER->RVPN1-2 and RADIO->RVPN1-2.

All static routers to remote locations have the same AD, but different priority.

The routes look as follows:

FIBER-RVPN1     AD 10 PRIO 1

COPP-RVPN1     AD 10 PRIO 2

RADIO-RVPN1    AD 10 PRIO 3

FIBER-RVPN2    AD 10 PRIO 4

COPP-RVPN2    AD 10 PRIO 5

RADIO-RVPN2   AD 10 PRIO 6

 

So I want to achieve smooth redundancy failover from fiber to copper and from copper to radio. In case where HQ rvpn1 is down I want to Fiber to RVPN2 be a first route.

 

Beyond that theres also default static router for my internet links:

via fiber AD 10 prio 1

via copper AD 10 prio 2

via radio AD 10 prio 3

 

I have configured a link-monitor for those three links so the routing table should update in case one of them is down. Do I also need to create link monitors for VPN interfaces?

But with all of that I'am not sure if it will works well (probably not)

 

Any Idea how can I do this different way?

3 REPLIES 3
hbac
Staff
Staff

Hi @Gabishi94

 

Another way of doing this is to put IPsec tunnels in an SDWAN zone, this will reduce number of routes and policies. However, you will need to start from scratch. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

 

 Regards, 

Gabishi94
New Contributor

Unfortunately, this is already a production fortigate and I won't get a window to switch to sdwan

Toshi_Esumi
Esteemed Contributor III

Then you almost have to set up a routing protocol like eBGP between FGT and Ciscos and iBGP between Ciscos (FGTs are already in HA). With BGP, you can relatively easily manipulate the priorities for each tunnel once you set a metric like community: 1=FIBER, 2=CORP, 3=RADIO for FGT advertisement to Cisco, and 1=RVPN1, 2=RVPN2 for Cisco advertisement toward FGT.

Then on receiving side, you can set local-preferences based on the community attached to each route.

 

I think you can find some examples for both FGT and Cisco separately on the internet.

 

<edit>By the way, SD-WAN on FGT covers just one direction or one side. You still need to set up something on Cisco side to choose one path over the other somehow.

</edit>

 

Toshi

Top Kudoed Authors