Hi everyone,
I am writing to ask for advice regarding a configuration I am facing for a customer. The current situation is as follows:
The client has 13 stores and one headquarters. Each store is connected via IPsec VPN to the headquarters via a Mikrotik device. My proposal is to replace the current firewall on site with a Fortinet 91G, and configure the IPsec tunnels between the site and the various stores, keeping the Mikrotik devices in the stores (each with its own network class).
What I'm wondering is:
WAN failover: Is it possible to configure the Fortinet so that if the primary WAN goes down, the IPsec VPN tunnel automatically switches to the second (backup) WAN?
Simplifying IPsec Configuration: Is there a way to avoid creating individual IPsec VPN configurations for each store? I would like to know if there is a more efficient solution, such as using Dialup VPN mode.
Thanks in advance for the support! I hope I have been clear
ou can configure ADVPN for your topology, it will be very easy to configure and maintain.
Alos link fialover will work. Please find the below article as a reference.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-New-Link-for-Redundancy-into-the-AD...
hello,
You can also configure you 13 stores as dialup client to the HQ
You put SD-WAN in title but no mention about it in the requirement descriptions. SD-WAN would be the most complex way needing to put two separate IPsecs into members of a zone and set up criteria to failover on both remote and head ends. Probably somebody else can explain how more in detail.
The second complex option would be to set up separate IPsecs and run a routing protocol such as BGP, OSPF, etc. You need to know the protocol and its configuration. The protocol would take care of failover on both remote and head ends. Arguably the cleanest option. ADVPN falls into this category.
The third option would be Backup IPsec with static routes (admin distance and blackhole).
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implement-IPsec-Backup-Tunnel/ta-p/245084.
Only the forth option:IPsec Aggregate is NOT dealing with two separate IPsecs, but just one IPsec split to two paths. You might call it bonded together. Therefore I would consider the simplest.
https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/668885/packet-distribution-f...
Toshi
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.