Hi,
I need some ideas/help on how to create redundant SITE1-HQ VPN S2S connections to provide seamless failover in case of failure of any ISP link.
Here is a simple diagram:
So there are two Cisco routers at the headquarters, each has its own ISP links, and there is an HSRP between these routers.
RVPN1 is the primary router, which has all VPNs active, and RVPN2 is the backup, where the tunnels are disabled, but are ready to go if RVPN1 fails.
All VPNs are created with crypto maps - IKEv2+IPSEC
On the other side, we have a site with 2xFortigate 200F soft:7.2.5, 3 Internet connections - each using different media: 1 fiber, 1 copper and 1 radio.
We need to connect Site_1 to HQ in such a way that in case of internet problems on any side there will be a smooth failover.
I have now set up 6 VPNs on the FortiGate: FIBER -> RVPN1-2, COPPER->RVPN1-2 and RADIO->RVPN1-2.
All static routers to remote locations have the same AD, but different priority.
The routes look as follows:
FIBER-RVPN1 AD 10 PRIO 1
COPP-RVPN1 AD 10 PRIO 2
RADIO-RVPN1 AD 10 PRIO 3
FIBER-RVPN2 AD 10 PRIO 4
COPP-RVPN2 AD 10 PRIO 5
RADIO-RVPN2 AD 10 PRIO 6
So I want to achieve smooth redundancy failover from fiber to copper and from copper to radio. In case where HQ rvpn1 is down I want to Fiber to RVPN2 be a first route.
Beyond that theres also default static router for my internet links:
via fiber AD 10 prio 1
via copper AD 10 prio 2
via radio AD 10 prio 3
I have configured a link-monitor for those three links so the routing table should update in case one of them is down. Do I also need to create link monitors for VPN interfaces?
But with all of that I'am not sure if it will works well (probably not)
Any Idea how can I do this different way?
Hi @Gabishi94,
Another way of doing this is to put IPsec tunnels in an SDWAN zone, this will reduce number of routes and policies. However, you will need to start from scratch. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984....
Regards,
Created on 08-31-2023 07:57 AM Edited on 08-31-2023 07:58 AM
Unfortunately, this is already a production fortigate and I won't get a window to switch to sdwan
Created on 08-31-2023 08:14 AM Edited on 08-31-2023 08:40 AM
Then you almost have to set up a routing protocol like eBGP between FGT and Ciscos and iBGP between Ciscos (FGTs are already in HA). With BGP, you can relatively easily manipulate the priorities for each tunnel once you set a metric like community: 1=FIBER, 2=CORP, 3=RADIO for FGT advertisement to Cisco, and 1=RVPN1, 2=RVPN2 for Cisco advertisement toward FGT.
Then on receiving side, you can set local-preferences based on the community attached to each route.
I think you can find some examples for both FGT and Cisco separately on the internet.
<edit>By the way, SD-WAN on FGT covers just one direction or one side. You still need to set up something on Cisco side to choose one path over the other somehow.
</edit>
Toshi
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.