Good day,
I'm trying to understand, if it's possible to make FortiGate, connected by 2 ports to 2 different ISPs, to have parallel 2 VPN tunnels to the same remote gateway - each tunnel via another ISP. The "Partially-redundant route-based VPN example" page seems to explain similar scenario, but here's a detail I miss there:
FortiGate1 has two Internet-facing ports:
[ul]FortiGate2 has single Internet facing port, with IP 172.16.30.1.
The page instructs to configure 192.168.10.1 as default gateway (to 0.0.0.0/0). So IP of FortiGate2 is obviously reached via this next-hop.
Now let's assume that something in ISP1 broke down and the Tunnel1 is down. DPD will detect that, but I see nothing in this configuration that will tell FortiGate1 that now it needs to deliver IPsec packets to the next-hop of WAN2, 172.16.20.1.
There's nothing that can update the routing table of FortiGate1 to tell it that from now on the route to 172.16.30.1 lies via 172.16.20.1.
So how it's going to work?
Thanks,
Vladimir.
I haven't found solution for this meanwhile, but if it's possible to add another address to the remote FortiGate2 (for this example let's say it's 172.16.30.2), then the solution is trivial:
[ul]config router static edit 1 set dst 172.16.30.1 255.255.255.255 set gateway 192.168.10.1 set device wan1 next edit 2 set dst 172.16.30.2 255.255.255.255 set gateway 172.16.20.1 set device wan2 next end
[ul]config vpn ipsec phase1-interface edit Tunnel1 set interface wan1 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.1 set psksecret ENC encryptedPreSharedKey1 next edit Tunnel2 set interface wan2 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.2 set psksecret ENC encryptedPreSharedKey2 next end
config vpn ipsec phase2-interface edit Tunnel1 set phase1name Tunnel1 set proposal aes256-sha256 next edit Tunnel2 set phase1name Tunnel2 set proposal aes256-sha256 next end
[ul]config system zone edit FortiGate2_zone set interface Tunnel1 Tunnel2 next end
[ul]Now if the (preferrable) tunnel fails, then DPD (or OSPF) will detect that, the logical interface will be marked as 'down', its routes will be removed from the routing table and all traffic will flow via the second tunnel.
Created on 03-27-2018 02:48 AM
Now let's say that FortiGate1 isn't connected directly to both ISPs - these links are moved to some NAT router, behind which sits FortiGate1. The router has public IPs from both ISP and performs NAT on behalf of the FortiGate.
Then the setup will be different:
[ul]config system interface edit wan1 set vdom root set ip 192.168.10.2 255.255.255.0 set type physical set secondary-IP enable config secondaryip edit 1 set ip 192.168.10.3 255.255.255.0 next end next end
[ul]config vpn ipsec phase1-interface edit Tunnel1 set interface wan1 set local-gw 192.168.10.2 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.1 set psksecret ENC encryptedPreSharedKey1 next edit Tunnel2 set interface wan1 set local-gw 192.168.10.3 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.2 set psksecret ENC encryptedPreSharedKey2 next end
[ul]That's all.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.