A customer of mine has got two seperate internet connections for redundancy, both fiber (one 50mbit, one 10mbit). We've placed two 100D's for routing and they now want redundancy on the IPSec VPN tunnel that goes to our datacenter (which also has two 100D's.
The internet redundancy itself is configured with two static routes for 0.0.0.0/0 to the gateway of the provider with a lower priority for the 50mbit line, this works as is.
I thought to do the same with the IPSec tunnels, so I created two tunnels, one for each provider. Below are the details:
Local IP: 220.127.116.11
Remote GW: 18.104.22.168
Outgoing Interface: WAN_Tele2
Local IP: 22.214.171.124
Remote GW: 126.96.36.199
Outgoing interface: WAN_KPN
I’ve created two routes for the remote subnet and given them the correct priorities so that the Tele2 line is used as a primary interface.
I’ve triple checked the Phase 1 and 2 settings on both ends, there are correct.
Now for the strange part. When the Tele2 line is UP, the KPN IPSec tunnel won’t come UP. I’ve checked the log and the following error messages come up:
logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=188.8.131.52 locip=184.108.40.206 remport=500 locport=500 outintf="WAN_KPN" cookies="da5a6859015431c0/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"
As you can see, the fortigate tries to connect to the Remote GW of the Tele2 interface over the KPN line, which isn’t going to work.
Short after that, I get the following log entry:
logdesc="progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=220.127.116.11 locip=18.104.22.168 remport=500 locport=500 outintf="WAN_KPN" cookies="c961a8fb7f030cd5/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="CBB-KPN" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK
This seems to be OK, but a Phase 2 is never initialized. Instead it just shows the first error message again (and then the second and so on).
As soon as I bring the Tele2 interface back up, the IPSec tunnel for the Tele2 line comes online and everything is working again.
I’ve also tried connecting both of the IPSec tunnels to the same remote GW, this didn’t work as well. Both of the IPSec Remote GW IP addresses are on the WAN interface of my firewall in the datacenter.
How can I fix this issue? What is the correct configuration for such a setup?