Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gabishi94
New Contributor

Created on ‎08-31-2023 07:35 AM

Idea for VPN S2S design - 3 ISP to 2 ISP

Hi,

I need some ideas/help on how to create redundant SITE1-HQ VPN S2S connections to provide seamless failover in case of failure of any ISP link.

Here is a simple diagram:

FGT-CISCO-SIMPLE.png

 

 

 

So there are two Cisco routers at the headquarters, each has its own ISP links, and there is an HSRP between these routers.

RVPN1 is the primary router, which has all VPNs active, and RVPN2 is the backup, where the tunnels are disabled, but are ready to go if RVPN1 fails.

All VPNs are created with crypto maps - IKEv2+IPSEC

 

On the other side, we have a site with 2xFortigate 200F soft:7.2.5, 3 Internet connections - each using different media: 1 fiber, 1 copper and 1 radio.

We need to connect Site_1 to HQ in such a way that in case of internet problems on any side there will be a smooth failover.

 

 

 

I have now set up 6 VPNs on the FortiGate: FIBER -> RVPN1-2, COPPER->RVPN1-2 and RADIO->RVPN1-2.

All static routers to remote locations have the same AD, but different priority.

The routes look as follows:

FIBER-RVPN1     AD 10 PRIO 1

COPP-RVPN1     AD 10 PRIO 2

RADIO-RVPN1    AD 10 PRIO 3

FIBER-RVPN2    AD 10 PRIO 4

COPP-RVPN2    AD 10 PRIO 5

RADIO-RVPN2   AD 10 PRIO 6

 

So I want to achieve smooth redundancy failover from fiber to copper and from copper to radio. In case where HQ rvpn1 is down I want to Fiber to RVPN2 be a first route.

 

Beyond that theres also default static router for my internet links:

via fiber AD 10 prio 1

via copper AD 10 prio 2

via radio AD 10 prio 3

 

I have configured a link-monitor for those three links so the routing table should update in case one of them is down. Do I also need to create link monitors for VPN interfaces?

But with all of that I'am not sure if it will works well (probably not)

 

Any Idea how can I do this different way?

Labels:
385
0 Kudos
3 REPLIES 3
hbac
Staff
Staff

Created on ‎08-31-2023 07:51 AM

Hi @Gabishi94

 

Another way of doing this is to put IPsec tunnels in an SDWAN zone, this will reduce number of routes and policies. However, you will need to start from scratch. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

 

 Regards, 

374
0 Kudos
Gabishi94
New Contributor
In response to hbac

Created on ‎08-31-2023 07:57 AM Edited on ‎08-31-2023 07:58 AM

Unfortunately, this is already a production fortigate and I won't get a window to switch to sdwan

366
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Gabishi94

Created on ‎08-31-2023 08:14 AM Edited on ‎08-31-2023 08:40 AM

Then you almost have to set up a routing protocol like eBGP between FGT and Ciscos and iBGP between Ciscos (FGTs are already in HA). With BGP, you can relatively easily manipulate the priorities for each tunnel once you set a metric like community: 1=FIBER, 2=CORP, 3=RADIO for FGT advertisement to Cisco, and 1=RVPN1, 2=RVPN2 for Cisco advertisement toward FGT.

Then on receiving side, you can set local-preferences based on the community attached to each route.

 

I think you can find some examples for both FGT and Cisco separately on the internet.

 

<edit>By the way, SD-WAN on FGT covers just one direction or one side. You still need to set up something on Cisco side to choose one path over the other somehow.

</edit>

 

Toshi

356
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.