- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Partially-redundant IPsec tunnels via different IS...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Partially-redundant IPsec tunnels via different ISPs?
Good day,
I'm trying to understand, if it's possible to make FortiGate, connected by 2 ports to 2 different ISPs, to have parallel 2 VPN tunnels to the same remote gateway - each tunnel via another ISP. The "Partially-redundant route-based VPN example" page seems to explain similar scenario, but here's a detail I miss there:
FortiGate1 has two Internet-facing ports:
[ul]FortiGate2 has single Internet facing port, with IP 172.16.30.1.
The page instructs to configure 192.168.10.1 as default gateway (to 0.0.0.0/0). So IP of FortiGate2 is obviously reached via this next-hop.
Now let's assume that something in ISP1 broke down and the Tunnel1 is down. DPD will detect that, but I see nothing in this configuration that will tell FortiGate1 that now it needs to deliver IPsec packets to the next-hop of WAN2, 172.16.20.1.
There's nothing that can update the routing table of FortiGate1 to tell it that from now on the route to 172.16.30.1 lies via 172.16.20.1.
So how it's going to work?
Thanks,
Vladimir.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't found solution for this meanwhile, but if it's possible to add another address to the remote FortiGate2 (for this example let's say it's 172.16.30.2), then the solution is trivial:
[ul]config router static edit 1 set dst 172.16.30.1 255.255.255.255 set gateway 192.168.10.1 set device wan1 next edit 2 set dst 172.16.30.2 255.255.255.255 set gateway 172.16.20.1 set device wan2 next end
[ul]config vpn ipsec phase1-interface edit Tunnel1 set interface wan1 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.1 set psksecret ENC encryptedPreSharedKey1 next edit Tunnel2 set interface wan2 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.2 set psksecret ENC encryptedPreSharedKey2 next end
config vpn ipsec phase2-interface edit Tunnel1 set phase1name Tunnel1 set proposal aes256-sha256 next edit Tunnel2 set phase1name Tunnel2 set proposal aes256-sha256 next end
[ul]config system zone edit FortiGate2_zone set interface Tunnel1 Tunnel2 next end
[ul]Now if the (preferrable) tunnel fails, then DPD (or OSPF) will detect that, the logical interface will be marked as 'down', its routes will be removed from the routing table and all traffic will flow via the second tunnel.
Created on 03-27-2018 02:48 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now let's say that FortiGate1 isn't connected directly to both ISPs - these links are moved to some NAT router, behind which sits FortiGate1. The router has public IPs from both ISP and performs NAT on behalf of the FortiGate.
Then the setup will be different:
[ul]config system interface edit wan1 set vdom root set ip 192.168.10.2 255.255.255.0 set type physical set secondary-IP enable config secondaryip edit 1 set ip 192.168.10.3 255.255.255.0 next end next end
[ul]config vpn ipsec phase1-interface edit Tunnel1 set interface wan1 set local-gw 192.168.10.2 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.1 set psksecret ENC encryptedPreSharedKey1 next edit Tunnel2 set interface wan1 set local-gw 192.168.10.3 set peertype any set proposal aes256-sha256 set dpd on-idle set remote-gw 172.16.30.2 set psksecret ENC encryptedPreSharedKey2 next end
[ul]That's all.
Related Posts
- Getting Packet Drop issue on IPsec... 63 Views
- Force O365 (Outlook) connections to use... 73 Views
- Redundant dial-up VPN FG to FG 270 Views
- IP sec tunnel connection from fortiweb 191 Views
- no traffic in IPSEC vpn tunnel... 120 Views
Labels
-
FortiGate
6,715 -
FortiClient
1,336 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
342 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
60 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.