Setup backup vpn connection to HQ FGT

mumbles202 · ‎04-14-2022

I currently have a firewall at HQ with a static ip and a dial-up vpn configuration for a remote site (remote site initially had a dhcp WAN address) and then that site is set to tunnel all traffic back through HQ. If I'd like to move this a configuration where that remote site (which now has a static WAN ip and is also getting a secondary ISP) is able to connect to the HQ FGT using either of it's 2 ISPs and still do a route all vpn, is this the best link to follow:

https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/432685/manual-redundant-vpn-configuratio...

and if so, would I to also include the settings in the section "Creating a Backup IPsec Interface"

Toshi_Esumi · ‎04-14-2022

If both sides have a static IP from ISPs, the easiest way to route all traffic from the remote site through HQ is to set a static route for HQ's IP (/32) from the ISP toward the wan interface at the remote FGT, then set the default route into the tunnel like below.

config router static

edit 0

set dst <HQ_public_IP> 255.255.255.255

set gateway <remote_ISP's_GW_IP>

set device <wan_interface>

set gateway <remote_ISP's_GW_IP>

set device <VPN_interface_name>

Then you can have just a main mode/static IPSec VPN between them.

Toshi

<edit>

For backup, you can do the same but you want to set another static default route into the secondary VPN with higher priority number (lower priority) static route like below.

config router static

edit 0

set gateway <2ndary_ISP's_GW_IP>

set priority 10 (default is 0)

set device <2ndary_VPN_interface_name>

Then you want to set "link monitor" through the primary VPN so that you can remove the primary default route when it goes down. You can find many examples for link monitor config in this forum, KB or on the internet.

Toshi_Esumi · ‎04-14-2022

I see one potential issue with this set up now if HQ has only one circuit with one IP from the ISP. On the remote FGT, there are two /32 parallel routes for the same destination through ISP1 and ISP2. I'm hoping if you specify each wan interface on the IPSec phase1-interface config, it wouldn't go out through the opposite ISP's circuit. But not sure now. Someone else might be able to tell for sure.

Toshi

mumbles202 · ‎04-14-2022

Thanks for the response. So if we go w/ HQ being A.A.A.2 w/ a default gateway of A.A.A.1, and remote site is B.B.B.2 and C.C.C.2, you're saying to do something like this (after creating 2 vpns on each of the FGTs to account for all 3 IP addresses):

config router static

edit 0

set dst A.A.A.2 255.255.255.255

set gateway B.B.B.1

set device wan1

set gateway B.B.B.1

set device vpn_to_HQ

next

edit 3

set gateway C.C.C.1

set priority 10

set device vpn_to_HQ_backup

to your point about the 2 /32 routes, would I be able to do something like this:

edit 1

set dst A.A.A.2 255.255.255.255

set priority 10

set gateway C.C.C.1

set device wan2

Toshi_Esumi · ‎04-14-2022

First, edit 0 is a magic number so that the FGT can find the next available number. There is no "edit 0" actually in the result after you configured them. That's why my example has all "edit 0". You can specifically configure 1, 2, 3 or above. But make sure those don't exist. Otherwise, it would just override.

I don't put "priority 10" on the edit1. Because if you do that, outgoing packets to AAA2 always prefer wan1, and might never go out to wan2. I would leave "priority 0" which is the default for both your "edit 0" a and edit 1.

Below is an expected outcome of routing table for two /32 to the same destination with priority 0 in "get router info routing-table all".

S A.A.A.2/32 [10/0] via B.B.B.1, wan1
[10/0] via C.C.C.1, wan2

Then let "set interface wan1 or wan2" in phase1-interface config to choose which way to go out.

Toshi_Esumi · ‎04-14-2022

To have my own confidence, I tested a similar set up at home with two internet circuits after came back home. It should work.

Only gotcha was you have to take care of returning routes on HQ FGT side toward remote as well. You need to have return static routes to both tunnels, but the secondary side needs to have "priority 10". Then set a mirror-image link monitor over the primary tunnel so that the primary return route would be removed when the primary goes down.

It's a little complicated without routing protocol although doable. I would set up BGP over two tunnels to let BGP decide to go which path at a time in our regular cases. Or probably SD-WAN can handle all of this behind the scene although the mechanism would be similar to your static routes + link-monitor method. It uses policy routes instead.

mumbles202 · ‎04-18-2022

Thanks for this. I'm going to try to give this a try this week and see how it works.

mumbles202 · ‎04-21-2022

So I got this all working today w/ a little bit different configuration and all is working well except for 1 issue. With the default route going through the vpn any "internal" devices on the remote side have internet as expected but I'm not able to have a guest network that goes out locally? I tried setting a policy route but that didn't seem to do the trick.

Any way to accomplish that as well?

Toshi_Esumi · ‎04-21-2022

You didn't tell about the guest wifi before. Of course it wouldn't work because there is no default route going directly out. Which circuit do you want to let them go out? I think if you put another static default route with priority 20 or something higher than the current second one, I think your policy route specifically for this traffic would go out by following the default route.

To make policy route work, there need to be a route (in this case a default route) existing toward the interface in RIB. Try that and let us know.

Toshi

mumbles202 · ‎04-21-2022

Thanks for the reply. The guest wireless was a curve ball that gone thrown at me today. I have a static route in place for both ISPs with an AD of 10 and the tunnel all route through the VPN with a AD of 5.