Fortinet Community

pieciaq · ‎06-21-2022

Hi all,

I like to know is there possibility to keep VPN IPSec tunnels up when linked to backup interface (WAN2) and backup ISP.

I got FGT60E with WAN1 (1 ISP) and WAN2 (2 ISP - backup), to WAN1 got connected IPSec Tunnel to another FGT, and on WAN2 got connected different IPSec tunnel (needed as backup) to different location.

In Static Routes WAN1 has lower distance (8) than WAN2(10) tunnels linked to WAN2 are down, is there possibility to make them always up? Of course WAN2 interface is up.

I got enabled Auto-negotiate and Autokey Keep Alive.

When WAN1 go down and WAN2 starting to pass traffic tunnels get up and send data with no problem.

Pieciaq

pminarik · ‎06-21-2022

Hi pieciaq,

If WAN2 route has worse admin distance, its route will not be active => IPsec tunnel on WAN2 will not have a route to the peer => tunnel will stay down.
You need the admin distances to be equal so that both routes are available. (but set WAN1's priority to a better value so that the primary WAN1 is used for all outgoing internet traffic, unless overridden by policy routes or SD-WAN rules)

[ corrections always welcome ]

View solution in original post

pminarik · ‎06-21-2022

Hi pieciaq,

If WAN2 route has worse admin distance, its route will not be active => IPsec tunnel on WAN2 will not have a route to the peer => tunnel will stay down.
You need the admin distances to be equal so that both routes are available. (but set WAN1's priority to a better value so that the primary WAN1 is used for all outgoing internet traffic, unless overridden by policy routes or SD-WAN rules)

[ corrections always welcome ]

Fortinet Community

Keep VPN IPSec tunnels up