I support a client whose main office is connected to their datacentre through a fiber point-to-point link.
The P2P link, has a small /30 network on each side, on their Fortigate and traffic is routed between their main office and datacentre over the PwP link. Their main office and datacentre each have clustered Fortigates running 6.0.8 firmware.
There's failover VPNs on each cluster in the event of point-to-point failure (which has happened from time to time).
Their current setup will only ever failover to VPNs if there's a hard failure of some type which will almost never happen because the firewall connections are coming in through switch VLANs and those switch links never go down.
I wanted to look at setting up failover using Link Monitoring for their P2P and one of the VPNs on each side, but running into some difficulties and a ticket to TAC just confused me more :) In theory I think this should be fairly easy.
1) Add an IP to each side of the VPN.
2) Setup link-monitor to ping something on each side of the VPN and P2P.
3) Failover when this something fails.
A) On the VPN tunnel link, I can only assign a /32.
B) I can easily ping the interfaces on either side - so the tunnel is functioning. But what can I ping besides the interfaces to validate link? And if I do that - don't I also need to make the pings work over the P2P link?
C) There's already a link monitor on both firewalls monitoring WAN availability - will this other link-monitor interfere with this?
Thoughts? Maybe there's a better way to do this I haven't considered. I've thought about converting their WAN failover to SDWAN but there's a lot of work behind this due to the amount of NATs/Policies already in place on each side.
First of all, if you want to fail over a specific route (subnet(s)) from P2P to VPN, you just need to set up link monitor on P2P side only. Then you should always set a tunnel IP for any interface mode (route-base) IPsec.
For those three questions:
A) those /32 local/remote IPs are injected into your routing table (take a look at "get router info routing-t all") so it can route whatever IPs you choose. But in case another vendor's equipment is involved on the other end, it's recommended to pick IPs within /30, like 10.0.0.1/30 and 10.0.0.2/30 on the other end.
B) you should be able to ping the device in the destination subnet when you properly set up phase2 selectors to include the tunnel interface IP. But pinging the other end of tunnel IP is good enough to detect VPN down. It goes/comes through the tunnel, not outside of the tunnel.
C) WAN interface's link monitor is on the wan interface. Completely separated. Your new link-monitor on P2P interface is only for the P2P link.
There are at least three ways to set up fail-over like this.
Option 1) link-monitor with parallel static routes (different metrics like "priority"), which you've chosen
Option 2) routing protocol, like OSPF, BGP, etc.
Option 3) SD-WAN with wieight difference (I think the backupside needs to have "weight=0").
I don't see much difference between them in a simple datacenter connection like yours, unless there are many subnets located at the datacenter and they change quite often.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.