I currently have a firewall at HQ with a static ip and a dial-up vpn configuration for a remote site (remote site initially had a dhcp WAN address) and then that site is set to tunnel all traffic back through HQ. If I'd like to move this a configuration where that remote site (which now has a static WAN ip and is also getting a secondary ISP) is able to connect to the HQ FGT using either of it's 2 ISPs and still do a route all vpn, is this the best link to follow:
and if so, would I to also include the settings in the section "Creating a Backup IPsec Interface"
If both sides have a static IP from ISPs, the easiest way to route all traffic from the remote site through HQ is to set a static route for HQ's IP (/32) from the ISP toward the wan interface at the remote FGT, then set the default route into the tunnel like below.
config router static
edit 0
set dst <HQ_public_IP> 255.255.255.255
set gateway <remote_ISP's_GW_IP>
set device <wan_interface>
next
edit 0
set gateway <remote_ISP's_GW_IP>
set device <VPN_interface_name>
next
end
Then you can have just a main mode/static IPSec VPN between them.
Toshi
<edit>
For backup, you can do the same but you want to set another static default route into the secondary VPN with higher priority number (lower priority) static route like below.
config router static
edit 0
set gateway <2ndary_ISP's_GW_IP>
set priority 10 (default is 0)
set device <2ndary_VPN_interface_name>
next
end
Then you want to set "link monitor" through the primary VPN so that you can remove the primary default route when it goes down. You can find many examples for link monitor config in this forum, KB or on the internet.
I see one potential issue with this set up now if HQ has only one circuit with one IP from the ISP. On the remote FGT, there are two /32 parallel routes for the same destination through ISP1 and ISP2. I'm hoping if you specify each wan interface on the IPSec phase1-interface config, it wouldn't go out through the opposite ISP's circuit. But not sure now. Someone else might be able to tell for sure.
Toshi
Thanks for the response. So if we go w/ HQ being A.A.A.2 w/ a default gateway of A.A.A.1, and remote site is B.B.B.2 and C.C.C.2, you're saying to do something like this (after creating 2 vpns on each of the FGTs to account for all 3 IP addresses):
config router static
edit 0
set dst A.A.A.2 255.255.255.255
set gateway B.B.B.1
set device wan1
next
edit 2
set gateway B.B.B.1
set device vpn_to_HQ
next
edit 3
set gateway C.C.C.1
set priority 10
set device vpn_to_HQ_backup
next
end
to your point about the 2 /32 routes, would I be able to do something like this:
edit 1
set dst A.A.A.2 255.255.255.255
set priority 10
set gateway C.C.C.1
set device wan2
next
Created on 04-14-2022 05:47 PM Edited on 04-14-2022 05:51 PM
First, edit 0 is a magic number so that the FGT can find the next available number. There is no "edit 0" actually in the result after you configured them. That's why my example has all "edit 0". You can specifically configure 1, 2, 3 or above. But make sure those don't exist. Otherwise, it would just override.
I don't put "priority 10" on the edit1. Because if you do that, outgoing packets to AAA2 always prefer wan1, and might never go out to wan2. I would leave "priority 0" which is the default for both your "edit 0" a and edit 1.
Below is an expected outcome of routing table for two /32 to the same destination with priority 0 in "get router info routing-table all".
S A.A.A.2/32 [10/0] via B.B.B.1, wan1
[10/0] via C.C.C.1, wan2
Then let "set interface wan1 or wan2" in phase1-interface config to choose which way to go out.
Created on 04-14-2022 10:08 PM Edited on 04-14-2022 10:13 PM
To have my own confidence, I tested a similar set up at home with two internet circuits after came back home. It should work.
Only gotcha was you have to take care of returning routes on HQ FGT side toward remote as well. You need to have return static routes to both tunnels, but the secondary side needs to have "priority 10". Then set a mirror-image link monitor over the primary tunnel so that the primary return route would be removed when the primary goes down.
It's a little complicated without routing protocol although doable. I would set up BGP over two tunnels to let BGP decide to go which path at a time in our regular cases. Or probably SD-WAN can handle all of this behind the scene although the mechanism would be similar to your static routes + link-monitor method. It uses policy routes instead.
Thanks for this. I'm going to try to give this a try this week and see how it works.
So I got this all working today w/ a little bit different configuration and all is working well except for 1 issue. With the default route going through the vpn any "internal" devices on the remote side have internet as expected but I'm not able to have a guest network that goes out locally? I tried setting a policy route but that didn't seem to do the trick.
Any way to accomplish that as well?
Created on 04-21-2022 03:52 PM Edited on 04-21-2022 03:55 PM
You didn't tell about the guest wifi before. Of course it wouldn't work because there is no default route going directly out. Which circuit do you want to let them go out? I think if you put another static default route with priority 20 or something higher than the current second one, I think your policy route specifically for this traffic would go out by following the default route.
To make policy route work, there need to be a route (in this case a default route) existing toward the interface in RIB. Try that and let us know.
Toshi
Thanks for the reply. The guest wireless was a curve ball that gone thrown at me today. I have a static route in place for both ISPs with an AD of 10 and the tunnel all route through the VPN with a AD of 5.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.