Routing over mixed fixed/dialup redundant VPN tunnels
I' ve created a hub-and-spoke IPsec VPN configuration for our company network with IPsec-protected OSPF using the Fortinet-recommended procedure (loopback addresses, tunnel-end addresses, binding the OSPF interface to the virtual IPsec interface, etc.) I need to use dynamic routing because the spokes each have a default route to break out to the internet locally and need to learn the routes to reach the rest of our internal network via the IPsec tunnels.
It all works well but I' m now adding redundancy to some spokes via 3G dialup. The 3G tunnel comes up fine when the primary tunnel fails, but OSPF routing doesn' t work over the 3G tunnel, presumably because the hub end is not a static interface -- it' s a dynamically created dialup interface -- so it can' t be bound to OSPF in the normal way. To perhaps complicate things more, we' re also about to add redundancy at the hub end by adding a secondary internet connection.
Does anyone know if IPsec-protected OSPF can be made to work with redundant dialup tunnels in this scenario? Would another routing protocol like BGP fare any better, especially as we add more complexity to our network?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.